Bug 45985

Summary: Kerberos_ddns_update does not work properly in school environments
Product: UCS Reporter: Christina Scheinig <scheinig>
Component: UMC - System diagnosticAssignee: UMC maintainers <umc-maintainers>
Status: RESOLVED DUPLICATE QA Contact: UMC maintainers <umc-maintainers>
Severity: normal    
Priority: P5 CC: birkefeld, gohmann
Version: UCS 4.2   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=45904
What kind of report is it?: Bug Report What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 4: Will affect most installed domains How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.137 Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2017121921000103 2018020721000367 Bug group (optional):
Max CVSS v3 score:

Description Christina Scheinig univentionstaff 2018-01-08 12:28:05 CET 
On a schoolslave the kerberos_ddns_update fails with:
Kritisch: Überprüfe Kerberos authentifizierte DNS Updtaes
Fehler traten auf bei der Ausführung von 'kinit' oder 'nsupdate'.
`nsupdate` Prüfung für die Domäne <Domainname> ist fehlgeschlagen.

But kinit and nsupdate is fine.

For the check the ucr value ldap/master is used instead of ldap/server/name which causes the problem


# IP: 10.200.16.20
root@ucs-gs:~# kinit --keytab="/var/lib/samba/private/dns.keytab" dns-$(hostname) || echo $?
root@ucs-gs:~# echo -ne "server $(ucr get ldap/master)\nprereq yxdomain $(hostname -f)\nsend\n" | nsupdate -d -g -t15
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  41701
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ucs-gs.school.support.        IN    SOA

;; AUTHORITY SECTION:
school.support.        3600    IN    SOA    ucs-master.school.support. root.school.support. 56 28800 7200 604800 3600

Found zone name: school.support
The master is: ucs-master.school.support
start_gssrequest
Found realm from ticket: SCHOOL.SUPPORT
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = KDC has no support for encryption type.
Comment 1 Tobias Birkefeld univentionstaff 2018-03-15 14:42:07 CET 
Customer affected: Ticket#2018030921000209
Comment 2 Tobias Birkefeld univentionstaff 2018-03-15 14:49:46 CET 

*** This bug has been marked as a duplicate of bug 45584 ***