Univention Bugzilla – Bug 48585
kpasswd broken on master if samba/connector is installed on backup
Last modified: 2021-05-14 16:34:47 CEST
Master and a backup with samba (and connector) On the master "dns_lookup_kdc = true" is configured in the krb5.conf. And the samba installation seems to have removed non-samba DC's from the dns kdc list: DN: relativeDomainName=_kerberos._tcp,zoneName=four.three,cn=dns,dc=four,dc=three location: 0 100 88 backup.four.three. name: kerberos tcp zonettl: 3 hours DN: relativeDomainName=_kerberos._udp,zoneName=four.three,cn=dns,dc=four,dc=three location: 0 100 88 backup.four.three. name: kerberos udp zonettl: 3 hours So any kerberos authentication request goes to the backup (samba). But the default "kpasswd_server" on the master points to the master, with the heimdal-kdc. This does not work (the samba ticket is useless with the heimdal kpasswd service) -> kpasswd test1 test1@FOUR.THREE's Password: New password for test1@FOUR.THREE: Verify password - New password for test1@FOUR.THREE: Auth error : Authentication failed Workaround for now. Set the kpasswd server on the non samba DC to one of the samba DC's. -> ucr set kerberos/kpasswdserver='backup.four.three' -> kpasswd test1 test1@FOUR.THREE's Password: New password for test1@FOUR.THREE: Verify password - New password for test1@FOUR.THREE: Success : Password changed
This issue has been filed against UCS 4.3. UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.