Bug 34908
| Summary: | samba_dnsupdate should use localhost as KDC. | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Arvid Requate <requate> |
| Component: | Samba4 | Assignee: | Arvid Requate <requate> |
| Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
| Severity: | normal | ||
| Priority: | P5 | CC: | gohmann, grandjean |
| Version: | UCS 4.1 | ||
| Target Milestone: | UCS 4.1-2-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
| Bug Depends on: | |||
| Bug Blocks: | 40290 | ||
| Attachments: | re-join.log | ||
In the univention-join wrapper script for Bug #32187 I just do this: ============================================================================== samba_krb5conf_template="/usr/share/samba/setup/krb5.conf" dpkg-divert --quiet --rename --local \ --divert "${samba_krb5conf_template}.debian"\ --add "${samba_krb5conf_template}" cp "${samba_krb5conf_template}.debian" "${samba_krb5conf_template}" cat >> "${samba_krb5conf_template}" <<%EOF [realms] \${REALM} = { kdc = 127.0.0.1 } %EOF ============================================================================== During provision/join samba replaces ${REALM} (in provision/__init__.py). Hit me again in a UCS@school workshop today. UCS 4.1-0 errata 29, Non-Edu School-Slave Other customer, same problem: 2015121721000236 UCS 4.0-4, Edu School-Slave Some more information on my last two comments:
In both cases, the (re-)join of a UCS@school Slave failed with:
> RUNNING 98univention-samba4slavepdc-dns.inst
> 2015-12-17 09:34:14.000435465+01:00 (in joinscript_init)
> WARNING: No path in service IPC$ - making it unavailable!
> NOTE: Service IPC$ is flagged unavailable.
> Traceback (most recent call last):
> File "/usr/sbin/samba_dnsupdate", line 619, in <module>
> get_credentials(lp)
> File "/usr/sbin/samba_dnsupdate", line 130, in get_credentials
> raise e
> RuntimeError: kinit for UCS-1138$@EXAMPLE.ORG failed (KDC has no support for encryption type)
>
> EXITCODE=1
In both cases, replacing "dns_lookup_kdc = true" with "kdc = 127.0.0.1" in /var/lib/samba/private/krb5.conf helped.
Hmm, the change caused this problem during re-join of a UCS@school slave:
==========================================================================
root@ls-gsmitte:~# samba_dnsupdate
Traceback (most recent call last):
File "/usr/sbin/samba_dnsupdate", line 651, in <module>
get_credentials(lp)
File "/usr/sbin/samba_dnsupdate", line 155, in get_credentials
raise e
RuntimeError: kinit for LS-GSMITTE$@UNI.DTR failed (Cannot contact any KDC for requested realm)
==========================================================================
reverting the change fixed the problem.
Created attachment 7699 [details]
re-join.log
This was due to a format error in krb5.conf.
root@ls-gsmitte:~# KRB5_CONFIG=/var/lib/samba/private/krb5.conf kinit -t /var/lib/samba/private/dns.keytab 'dns-ls-gsmitte'
kinit: krb5_get_init_creds: unable to reach any KDC in realm UNI.DTR
Fixed now.
Advisory: univention-samba4.yaml OK - /var/lib/samba/private/krb5.conf is now a template OK - no more dns, 127.0.0.1 is used as kdc OK - installation/update on UCS OK - univention-samba4.yaml |
samba_dnsupdate uses a private /var/lib/samba/private/krb5.conf with minman content. This file is created during provision from the template found in /usr/share/samba/setup/krb5.conf This template doesn't specify some useful realm configuration options which we have in /etc/krb5.conf like: kdc = 127.0.0.1 # ucr get kerberos/kdc To make the samba_dnsupdate run during samba join more deterministic and less error prone, I think it would be good to turn this file into an UCR template to at least set the kdc to localhost.