Univention Bugzilla – Bug 45584
nsupdate-check fails on UCS@school slaves
Last modified: 2018-06-20 11:51:01 CEST
The original description contains customer data, so I set that one private. Here is the anonymized version: One of the plugins for the system diagnostics module also checks for DDNS updates (46_kerberos_ddns_update.py). Unfortunately this fails on UCS@school slaves with "'nsupdate' Prüfung für die Domänne (sic!) school.example.org ist fehlgeschlagen". This is a manual test on the shell, but should be the same as in the plugin: root@edu01:~# eval "$(ucr shell)" root@edu01:~# kinit --password-file=/etc/machine.secret "${hostname^^}$" root@edu01:~# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: EDU01$@SCHOOL.EXAMPLE.ORG Issued Expires Principal Oct 24 11:11:48 2017 Oct 24 21:11:48 2017 krbtgt/SCHOOL.EXAMPLE.ORG@SCHOOL.EXAMPLE.ORG root@mz01:~# nsupdate -g <<%EOF > server $ldap_master > prereq yxdomain $hostname.$domainname > send > %EOF tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = KDC has no support for encryption type. Not sure about the error message regarding the encryption type, but testing against "$ldap_master" seems to naive to me: 1. The UCS Master might as well not be a Samba AD DC at all 2. On a UCS@school Slave, this test should be done against the UCS@school Slave itself, imho
*** Bug 45418 has been marked as a duplicate of this bug. ***
*** Bug 45985 has been marked as a duplicate of this bug. ***
Customer affected: Ticket#2018030921000209
fixed in comment 034056f980e46f719d6083fb1f2ab6ec78eaf28e
> fixed in comment 034056f980e46f719d6083fb1f2ab6ec78eaf28e doesn't work, see comment in git. I've now used the S4-Connector detection code get_available_s4connector_dc from /usr/share/univention-samba4/lib/base.sh . 9b87b9f41b | Run nsupdate checks against the S4-Connector host 391def5a95 | Advisory
2125bb8be6 | Update translation f4dcd028ba | Advisory I think a ucs-test case would be good too for this to see if it works in all CI scenarios.
6d31b3d0d5 | Run nsupdate check against local server if it has Samba/AD DNS 42d3a8ec07 | Run nsupdate check only on Samba 4 DCs and ad/member servers We already have 00_checks/81_diagnostic_checks.py in ucs-test, it just skips three checks frequently failing in cloud CI.
OK - nsupdate in school OK - YAML
<http://errata.software-univention.de/ucs/4.3/6.html>