Univention Bugzilla – Full Text Bug Listing |
Summary: | Test kerberos/kdc | ||
---|---|---|---|
Product: | UCS | Reporter: | Janis Meybohm <meybohm> |
Component: | UMC - System diagnostic | Assignee: | Lukas Oyen <oyen> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | best, forge.univention.org, gohmann, oyen, requate |
Version: | UCS 4.0 | Flags: | oyen:
Patch_Available+
|
Target Milestone: | UCS 4.2-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=38357 | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Attachments: | 36748-diagnostic-kdc-420.patch |
Description
Janis Meybohm
2014-11-17 13:29:15 CET
Created attachment 8887 [details] 36748-diagnostic-kdc-420.patch This checks for the reachability of KDCs by sending a AS-REQ per TCP and UDP. The AS-REQ is send with the fake user `kdc-reachability-check`. The KDCs will respond in several ways: either with an KRB-ERROR (PREAUTH_REQUIRED, PRINCIPAL_UNKNOWN or RESPONSE_TO_BIG) or a AS-REP with an anonymous ticket. If we do not receive one of the above, the connection is not accepted, the socket is closed or an operation times out, we can assume, that the KDCs is not reachable. This check will test the KDCs as specified in UCR `kerberos/kdc` with TCP and UDP on port 88. If `kerberos/defaults/dns_lookup_kdc` is set, KDC discovery as specified in section `7.2.3. KDC Discovery on IP Networks` [1] will be used. In this case the ports as specified in the SRV records are used. This implements a minimal number of packages as defined in [1] and does not rely on python-kerberos or python-krb5, as those are too high level and outdated. Reachability checks of kpasswd servers are not implemented, as those are a separate protocol. See [2]. [1]: https://tools.ietf.org/html/rfc4120 [2]: https://tools.ietf.org/html/rfc3244 Committed in r81611 - r81613 (advisory r81649). REOPEN: The check is also executed on a DC Master without Samba4 and causes it to fail. "KDC Erreichbarkeit - Keine erreichbaren KDCs gefunden." → The error messages should be full sentences ("Es wurden ...") and might be more explanatory. (In reply to Florian Best from comment #3) > REOPEN: The check is also executed on a DC Master without Samba4 and causes > it to fail. > > "KDC Erreichbarkeit - Keine erreichbaren KDCs gefunden." > → The error messages should be full sentences ("Es wurden ...") and might be > more explanatory. As far as I understand [1] there should always be a reachable KDC. Could you provide some more information about your system? I could include a link to [1] in the error message, but I think the diagnostic module is just a quick overview and not an in-depth explanation like the manual or SDB. [1]: https://docs.software-univention.de/manual.html#domain:kerberos Okay, then it seems it fails in our Jenkins tests: http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-1/job/AutotestJoin/52/SambaVersion=s3,Systemrolle=master/testReport/60_umc/106_diagnosic_checks/test/ http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-1/job/AutotestJoin/52/SambaVersion=s3,Systemrolle=member/testReport/60_umc/106_diagnosic_checks/test/ (In reply to Florian Best from comment #5) > Okay, then it seems it fails in our Jenkins tests: You were right, there was a slight logic error in the diagnostic check. Fixed in r81760. I've a DC Master and a DC Backup and temporarily stopped samba on the DC backup. Additionally I temporarily stopped bind9 on the master. The module reports a warning about KDC connectivity with this traceback: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute result = execute(umc_module, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/kdc_service.py", line 291, in run result_tcp = dns.resolver.query(kerberos_dns_fqdn_tcp, 'SRV') File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 981, in query raise_on_no_answer, source_port) File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 901, in query timeout = self._compute_timeout(start) File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 739, in _compute_timeout raise Timeout Timeout (In reply to Arvid Requate from comment #7) > Traceback (most recent call last): > Timeout Fixed: 4.2-1: r82620, YAML: r82626 4.2-2: r82629, YAML: r82635 Ok, nice code! Works. Same problem on 4.2-3 errata421 (Lesum) The following KDCs were unreachable: tcp ucs.xxx.com:88, udp ucs.xxx.com:88 samba/interfaces does not contain lo, 127.0.0.1 or 0.0.0.0. Answering Comment 11: This bug is closed, please use a more suitable feedback channel, like help.univention.de. To help you we probably need further information about connectivity to ucs.xxx.com:88. The second message about "samba/interfaces" looks like you have set samba/interfaces in Univention Config Registry and it doesn't include "lo". In that case Samba would not be reachable on the localhost address 127.0.0.1 which may cause problems. |