Univention Bugzilla – Bug 34908
samba_dnsupdate should use localhost as KDC.
Last modified: 2016-06-08 14:28:30 CEST
samba_dnsupdate uses a private /var/lib/samba/private/krb5.conf with minman content. This file is created during provision from the template found in /usr/share/samba/setup/krb5.conf This template doesn't specify some useful realm configuration options which we have in /etc/krb5.conf like: kdc = 127.0.0.1 # ucr get kerberos/kdc To make the samba_dnsupdate run during samba join more deterministic and less error prone, I think it would be good to turn this file into an UCR template to at least set the kdc to localhost.
In the univention-join wrapper script for Bug #32187 I just do this: ============================================================================== samba_krb5conf_template="/usr/share/samba/setup/krb5.conf" dpkg-divert --quiet --rename --local \ --divert "${samba_krb5conf_template}.debian"\ --add "${samba_krb5conf_template}" cp "${samba_krb5conf_template}.debian" "${samba_krb5conf_template}" cat >> "${samba_krb5conf_template}" <<%EOF [realms] \${REALM} = { kdc = 127.0.0.1 } %EOF ============================================================================== During provision/join samba replaces ${REALM} (in provision/__init__.py).
Hit me again in a UCS@school workshop today. UCS 4.1-0 errata 29, Non-Edu School-Slave
Other customer, same problem: 2015121721000236 UCS 4.0-4, Edu School-Slave
Some more information on my last two comments: In both cases, the (re-)join of a UCS@school Slave failed with: > RUNNING 98univention-samba4slavepdc-dns.inst > 2015-12-17 09:34:14.000435465+01:00 (in joinscript_init) > WARNING: No path in service IPC$ - making it unavailable! > NOTE: Service IPC$ is flagged unavailable. > Traceback (most recent call last): > File "/usr/sbin/samba_dnsupdate", line 619, in <module> > get_credentials(lp) > File "/usr/sbin/samba_dnsupdate", line 130, in get_credentials > raise e > RuntimeError: kinit for UCS-1138$@EXAMPLE.ORG failed (KDC has no support for encryption type) > > EXITCODE=1 In both cases, replacing "dns_lookup_kdc = true" with "kdc = 127.0.0.1" in /var/lib/samba/private/krb5.conf helped.
Hmm, the change caused this problem during re-join of a UCS@school slave: ========================================================================== root@ls-gsmitte:~# samba_dnsupdate Traceback (most recent call last): File "/usr/sbin/samba_dnsupdate", line 651, in <module> get_credentials(lp) File "/usr/sbin/samba_dnsupdate", line 155, in get_credentials raise e RuntimeError: kinit for LS-GSMITTE$@UNI.DTR failed (Cannot contact any KDC for requested realm) ========================================================================== reverting the change fixed the problem.
Created attachment 7699 [details] re-join.log This was due to a format error in krb5.conf. root@ls-gsmitte:~# KRB5_CONFIG=/var/lib/samba/private/krb5.conf kinit -t /var/lib/samba/private/dns.keytab 'dns-ls-gsmitte' kinit: krb5_get_init_creds: unable to reach any KDC in realm UNI.DTR Fixed now.
Advisory: univention-samba4.yaml
OK - /var/lib/samba/private/krb5.conf is now a template OK - no more dns, 127.0.0.1 is used as kdc OK - installation/update on UCS OK - univention-samba4.yaml
<http://errata.software-univention.de/ucs/4.1/195.html>