Univention Bugzilla – Bug 45904
Critical: Check Kerberos authenticated DNS updates
Last modified: 2018-03-28 13:28:31 CEST
In a domain with samba4 installed slaves without installed samba4 fail during the system diagostic 'Check Kerberos authenticated DNS updates' with the following message: > Errors occured while running `kinit` or `nsupdate`. `kinit` for principal > slave01$ with password file /etc/machine.secret failed. Beside this error message, I didn't notice any misbehaviour of the affected server, so I assume it is an issue in the check.
This seems to me like a false positive, or rather, the check should only be run on machines where `univention-samba4` is installed. Here's why. Kerberos-authenticated DNS updates are done by authenticating to the domain's Kerberos KDC (key distribution center) with the machine's Kerberos account. The corresponding code is in `/usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/46_kerberos_ddns_update.py`, function `check_nsupdate` which calls `check_dns_machine_principal` with the hostname of the machine the check is running on. This is roughly the same as the following call on the command line: kinit --password-file=/etc/machine.secret $(hostname)\$ That kinit call actually gives us good diagnostics, e.g.: [0 root@slave ~] kinit --password-file=/etc/machine.secret $(hostname)\$ kinit: krb5_get_init_creds: Client (slave$@MBU-TEST.INTRANET) unknown This means that there's no Kerberos principal for the host. After digging some more into how and when those principals for the machines are created, I'm convinced this happens in the join script for the `univention-samba4` package, `/usr/lib/univention-install/96univention-samba4.inst`. However, if that package has never been installed, no Kerberos principal will be created. The diagnostics script does a second check, too, with the principal "dns-$hostname". That principal is created by a join script, too, `/usr/lib/univention-install/98univention-samba4-dns.inst`. This script is part of the `univention-samba4` package, too. The following forum threads share the same problem: the test fails, and they don't have `univention-samba4` installed: https://help.univention.com/t/kerberos-authentifizierte-dns-updates-kritisch/7604/ https://help.univention.com/t/kinit-fuer-den-principal-ucs4-mit-der-password-datei-etc-machine-secret-ist-fehlgeschlagen/7598/ In short, the check should only be run if the `univention-samba4` package is installed, too.
Created attachment 9377 [details] patch draft
Now the check is only run on systems with service samba or samba4: 2c2c57fdc4 | Run nsupdate check only on Samba/Samba4 systems ffaf06672d | Advisory The second check probably was not the problem, because there we already checked that it's only run on systems with samba4/role==DC
OK - not checked on servers without samba4 or dns OK - yaml
<http://errata.software-univention.de/ucs/4.3/6.html>