Environment
Domain Services for Windows
DSFW
Situation
The
domain controller's password is failing to be set because the
connection to eDirectory is timing out before the password is set.
The /var/opt/novell/xad/log/provision.log shows the following:
>>>Setting
krbtgt password
Changing
password for krbtgt...
Bootstrapping
machine
>>>Setting
machine password and configuring Kerberos keytab
Changing
password for DC1$...
Failed
to connect to local domain controller: Timed out
chgrp:
cannot access `/var/opt/novell/xad/ds/krb5kdc/krb5.keytab': No such
file or directory
>>>Setting
Administrator password
Changing
password for Administrator...
2009-11-15
12:27:15 Post-check to set default password Passed
2009-11-15
12:27:15,938 INFO - Set Default Passwords for Accounts:Set Default
Passwords for Accounts returned.
Resolution
The
time out is under investigation by development.
The
work around is to manually set the the domain controller account's
password, create the keytab file with correct group and permissions, and the symbolic link to the /etc folder.
Below is an example of setting the password for a domain controller named DC1, changing the permissions, changing the group, and creating a symbolic link to the krb5.keytab in the /etc folder.
$
/opt/novell/xad/sbin/setpassword -DNOSf -r -k
/var/opt/novell/xad/ds/krb5kdc/krb5.keytab -u DC1$
$
chmod 640 /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
$
chgrp named /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
$ ln
-sf /var/opt/novell/xad/ds/krb5kdc/krb5.keytab /etc
Additional Information
Once the password is set and the keytab is created the the "Set Credentials for Account" can be skipped if it returns an error and the "Enable Kerberos" section in the provisioning wizard can be ran.
setpassword -NDSOf -r -E DomainServer -k /var/opt/novell/xad/ds/kerb5kdc/krb5.keytab -u DOMAINSERVER$
setpassword -NDSOf -r -E DomainServer,domainSERVER,DOMAINserver -k /var/opt/novell/xad/ds/kerb5kdc/krb5.keytab -u DOMAINSERVER$