Univention Bugzilla – Full Text Bug Listing |
Summary: | Critical: Check Kerberos authenticated DNS updates | ||
---|---|---|---|
Product: | UCS | Reporter: | Ingo Sieverdingbeck <sieverdingbeck> |
Component: | UMC - System diagnostic | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | m.bunkus, requate, stoeckigt |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.3-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=39522 https://forge.univention.org/bugzilla/show_bug.cgi?id=45985 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 3: Simply Wrong: The implementation doesn't match the docu |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 1: Nuisance – not a big deal but noticeable |
User Pain: | 0.034 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017121921000103, 2018012221000269 | Bug group (optional): | |
Max CVSS v3 score: | |||
Attachments: | patch draft |
This seems to me like a false positive, or rather, the check should only be run on machines where `univention-samba4` is installed. Here's why. Kerberos-authenticated DNS updates are done by authenticating to the domain's Kerberos KDC (key distribution center) with the machine's Kerberos account. The corresponding code is in `/usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/46_kerberos_ddns_update.py`, function `check_nsupdate` which calls `check_dns_machine_principal` with the hostname of the machine the check is running on. This is roughly the same as the following call on the command line: kinit --password-file=/etc/machine.secret $(hostname)\$ That kinit call actually gives us good diagnostics, e.g.: [0 root@slave ~] kinit --password-file=/etc/machine.secret $(hostname)\$ kinit: krb5_get_init_creds: Client (slave$@MBU-TEST.INTRANET) unknown This means that there's no Kerberos principal for the host. After digging some more into how and when those principals for the machines are created, I'm convinced this happens in the join script for the `univention-samba4` package, `/usr/lib/univention-install/96univention-samba4.inst`. However, if that package has never been installed, no Kerberos principal will be created. The diagnostics script does a second check, too, with the principal "dns-$hostname". That principal is created by a join script, too, `/usr/lib/univention-install/98univention-samba4-dns.inst`. This script is part of the `univention-samba4` package, too. The following forum threads share the same problem: the test fails, and they don't have `univention-samba4` installed: https://help.univention.com/t/kerberos-authentifizierte-dns-updates-kritisch/7604/ https://help.univention.com/t/kinit-fuer-den-principal-ucs4-mit-der-password-datei-etc-machine-secret-ist-fehlgeschlagen/7598/ In short, the check should only be run if the `univention-samba4` package is installed, too. Created attachment 9377 [details]
patch draft
Now the check is only run on systems with service samba or samba4: 2c2c57fdc4 | Run nsupdate check only on Samba/Samba4 systems ffaf06672d | Advisory The second check probably was not the problem, because there we already checked that it's only run on systems with samba4/role==DC OK - not checked on servers without samba4 or dns OK - yaml |
In a domain with samba4 installed slaves without installed samba4 fail during the system diagostic 'Check Kerberos authenticated DNS updates' with the following message: > Errors occured while running `kinit` or `nsupdate`. `kinit` for principal > slave01$ with password file /etc/machine.secret failed. Beside this error message, I didn't notice any misbehaviour of the affected server, so I assume it is an issue in the check.