Univention Bugzilla – Bug 48227
AD-Connector sync broken permanently in AD-Member mode if system time changes
Last modified: 2018-12-05 14:39:28 CET
When running in ad/member mode a time skew between MS AD-DC and UCS member can beak the AD-Connector replication. I've seen this three times in the bug squashing party today, twice in my test setup and once in the test setup of a colleague. root@member55:~# /etc/init.d/univention-ad-connector start [ ok ] Starting univention-ad-connector (via systemctl): univention-ad-connector.service. root@member55:~# cat /var/log/univention/connector-status.log ===================================================================== Tue Nov 27 14:48:56 2018 Tue Nov 27 14:48:56 2018 --- connect failed, failure was: --- Traceback (most recent call last): File "/usr/share/pyshared/univention/connector/ad/main.py", line 303, in main connect() File "/usr/share/pyshared/univention/connector/ad/main.py", line 191, in connect baseConfig['%s/ad/listener/dir' % CONFIGBASENAME] File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 837, in __init__ self.open_ad() File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 1034, in open_ad self.get_kerberos_ticket() File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 1012, in get_kerberos_ticket raise kerberosAuthenticationFailed('The following command failed: "%s"' % string.join(cmd_block)) kerberosAuthenticationFailed: The following command failed: "kinit --no-addresses --password-file=/etc/machine.secret member55$" --- retry in 30 seconds --- ===================================================================== After adding some debug code, the error shows as: ===================================================================== kerberosAuthenticationFailed: The following command failed: "kinit --no-addresses --password-file=/etc/machine.secret member55$" (1): kinit: krb5_get_init_creds: Clock skew too great ===================================================================== The really irritating thing about this situation is this: ===================================================================== root@member55:~# kinit --no-addresses \ --password-file=/etc/machine.secret member55$ \ && echo ok || echo fail ok ===================================================================== But the AD-Connector uses a different KRB5 Credential Cache, and that seems to block progress here: ===================================================================== root@member55:~# KRB5CCNAME=/var/cache/univention-ad-connector/krb5.cc \ kinit --no-addresses \ --password-file=/etc/machine.secret member55$ \ && echo ok || echo fail kinit: krb5_get_init_creds: Clock skew too great fail ===================================================================== I think we need to kdestory the credentials cache here before running kinit.
d9bd069c5e | Fix keberos authentication error in case of time skew 841646af44 | Advisory
OK - univention-ad-connector OK - univention-ad-connector.yaml
<http://errata.software-univention.de/ucs/4.3/354.html>