Univention Bugzilla – Full Text Bug Listing |
Summary: | samba_dnsupdate should use localhost as KDC. | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Samba4 | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, grandjean |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 40290 | ||
Attachments: | re-join.log |
Description
Arvid Requate
2014-05-21 17:48:18 CEST
In the univention-join wrapper script for Bug #32187 I just do this: ============================================================================== samba_krb5conf_template="/usr/share/samba/setup/krb5.conf" dpkg-divert --quiet --rename --local \ --divert "${samba_krb5conf_template}.debian"\ --add "${samba_krb5conf_template}" cp "${samba_krb5conf_template}.debian" "${samba_krb5conf_template}" cat >> "${samba_krb5conf_template}" <<%EOF [realms] \${REALM} = { kdc = 127.0.0.1 } %EOF ============================================================================== During provision/join samba replaces ${REALM} (in provision/__init__.py). Hit me again in a UCS@school workshop today. UCS 4.1-0 errata 29, Non-Edu School-Slave Other customer, same problem: 2015121721000236 UCS 4.0-4, Edu School-Slave Some more information on my last two comments:
In both cases, the (re-)join of a UCS@school Slave failed with:
> RUNNING 98univention-samba4slavepdc-dns.inst
> 2015-12-17 09:34:14.000435465+01:00 (in joinscript_init)
> WARNING: No path in service IPC$ - making it unavailable!
> NOTE: Service IPC$ is flagged unavailable.
> Traceback (most recent call last):
> File "/usr/sbin/samba_dnsupdate", line 619, in <module>
> get_credentials(lp)
> File "/usr/sbin/samba_dnsupdate", line 130, in get_credentials
> raise e
> RuntimeError: kinit for UCS-1138$@EXAMPLE.ORG failed (KDC has no support for encryption type)
>
> EXITCODE=1
In both cases, replacing "dns_lookup_kdc = true" with "kdc = 127.0.0.1" in /var/lib/samba/private/krb5.conf helped.
Hmm, the change caused this problem during re-join of a UCS@school slave: ========================================================================== root@ls-gsmitte:~# samba_dnsupdate Traceback (most recent call last): File "/usr/sbin/samba_dnsupdate", line 651, in <module> get_credentials(lp) File "/usr/sbin/samba_dnsupdate", line 155, in get_credentials raise e RuntimeError: kinit for LS-GSMITTE$@UNI.DTR failed (Cannot contact any KDC for requested realm) ========================================================================== reverting the change fixed the problem. Created attachment 7699 [details]
re-join.log
This was due to a format error in krb5.conf.
root@ls-gsmitte:~# KRB5_CONFIG=/var/lib/samba/private/krb5.conf kinit -t /var/lib/samba/private/dns.keytab 'dns-ls-gsmitte'
kinit: krb5_get_init_creds: unable to reach any KDC in realm UNI.DTR
Fixed now.
Advisory: univention-samba4.yaml OK - /var/lib/samba/private/krb5.conf is now a template OK - no more dns, 127.0.0.1 is used as kdc OK - installation/update on UCS OK - univention-samba4.yaml |