Comment 1 Michael Grandjean 2017-10-24 12:46:19 CEST

The original description contains customer data, so I set that one private. Here is the anonymized version:

One of the plugins for the system diagnostics module also checks for DDNS updates (46_kerberos_ddns_update.py). Unfortunately this fails on UCS@school slaves with "'nsupdate' Prüfung für die Domänne (sic!) school.example.org ist fehlgeschlagen".

This is a manual test on the shell, but should be the same as in the plugin:

root@edu01:~# eval "$(ucr shell)"
root@edu01:~# kinit --password-file=/etc/machine.secret "${hostname^^}$"
root@edu01:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: EDU01$@SCHOOL.EXAMPLE.ORG

  Issued                Expires               Principal
Oct 24 11:11:48 2017  Oct 24 21:11:48 2017  krbtgt/SCHOOL.EXAMPLE.ORG@SCHOOL.EXAMPLE.ORG
root@mz01:~# nsupdate -g <<%EOF
> server $ldap_master
> prereq yxdomain $hostname.$domainname
> send
> %EOF
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = KDC has no support for encryption type.

Not sure about the error message regarding the encryption type, but testing against "$ldap_master" seems to naive to me:

1. The UCS Master might as well not be a Samba AD DC at all
2. On a UCS@school Slave, this test should be done against the UCS@school Slave itself, imho

Comment 2 Arvid Requate 2017-10-24 12:48:22 CEST

*** Bug 45418 has been marked as a duplicate of this bug. ***

Comment 3 Tobias Birkefeld 2018-03-15 14:49:46 CET

*** Bug 45985 has been marked as a duplicate of this bug. ***

Comment 4 Tobias Birkefeld 2018-03-15 14:50:08 CET

Customer affected: Ticket#2018030921000209

Comment 6 Tobias Birkefeld 2018-03-16 21:04:04 CET

fixed in comment 034056f980e46f719d6083fb1f2ab6ec78eaf28e

Comment 7 Arvid Requate 2018-03-19 17:43:09 CET

> fixed in comment 034056f980e46f719d6083fb1f2ab6ec78eaf28e

doesn't work, see comment in git. I've now used the S4-Connector detection code get_available_s4connector_dc from /usr/share/univention-samba4/lib/base.sh .


9b87b9f41b | Run nsupdate checks against the S4-Connector host
391def5a95 | Advisory

Comment 8 Arvid Requate 2018-03-20 11:20:03 CET

2125bb8be6 | Update translation
f4dcd028ba | Advisory

I think a ucs-test case would be good too for this to see if it works in all CI scenarios.

Comment 9 Arvid Requate 2018-03-20 20:17:33 CET

6d31b3d0d5 | Run nsupdate check against local server if it has Samba/AD DNS
42d3a8ec07 | Run nsupdate check only on Samba 4 DCs and ad/member servers


We already have 00_checks/81_diagnostic_checks.py in ucs-test, it just skips three checks frequently failing in cloud CI.

Comment 10 Felix Botner 2018-03-21 12:15:28 CET

OK - nsupdate in school
OK - YAML

Comment 11 Arvid Requate 2018-03-28 13:28:29 CEST

<http://errata.software-univention.de/ucs/4.3/6.html>