DSFW: Workstations with duplicate names joined to the domain cause slow logins

  • 7006851
  • 15-Sep-2010
  • 02-Oct-2013


Novell Open Enterprise Server OES11.2 (OES 11SP2) 
Novell Open Enterprise Server OES11.1 (OES 11SP1) 
Novell Open Enterprise Server OES11 (OES 11) 
Novell Open Enterprise Server 2SP3 (OES 2SP3)
Domain Services for Windows


Slow logins
Logins taking several minutes instead of seconds
Users cannot authenticate after 5 minutes
/var/log/messages shows "winbindd: Exceeding 200 client connections, no idle connection found"
Two or more workstations joined to the DSfW domain with the same name 

kdc.log show following message
preauth verify failure:  Decrypt integrity check failed

The next line will show the ip address and workstation name
AS_REQ <ip address> PREAUTH_FAILED: <workstation name@domain name> for krbtgt/domain name
Preauthentication failed


Decrypt integrity check failed usually means the encryption key does not match the key stored in the KDC for a principal.  In short the passwords do not match.

For workstations, this usually means there are two are more workstations with the same name (duplicate workstation names).  Both workstations have set a password to the same object.  The last workstation to set the password will be valid.  All other workstations with the same name will attempt to login with and invalid password and will receive the "Decrypt integrity check failed" error.

Identify and removed duplicate workstations

In the kdc.log search for Decrypt integrity check
The next line should should have an AS_REQ.  In the line look for the ip address and workstation name.
A workstation can be identified by a $ after the name and before the @domain name.
Remove the workstation from the domain and before re-joining the domain change the workstation name to a unique name.

A simple way to find decrypt integrity check errors, sort, and number the errors do the following search in a terminal

grep -A1 -i 'Decrypt integrity check failed' /var/opt/novell/xad/log/kdc.log |grep -v 'Decrypt integrity check failed' |awk -F ')' '{print $3}' |grep -v '^$' |awk -F 'for' '{print $1}' |sort -n | uniq -c | sort -n 

If the output is needed in a text file send the output to a file by added > file.txt to the end of the command.

Moved workstations or workstations no located in the CN=Computers container

If a workstation is not located in the CN=Computers container, the Default Password Policy must be assigned to the container.  The Default Password Policy is located in the cn=Password Policies,cn=System,<domain mapped container>

To add the Default Password Policy open iManager.  Either browse to the Default Password Policy object and modify it or use the Passwords role.  If using the Password role change the container to search for password policies to the Password Policies.system.<container> in the "Search for password policies in the following container:" field.
Click on the assignments tab in the Default Password Policy and assign the the container were the workstations are located. 
IMPORTANT -  workstations and computers should not be in the same container.
The only modifications that should be done to the Default Password Policy is the assignments.  Changing the password length, case sensitivity, etc will inhibit workstations from joining the domain.

Ways to prevent duplicate workstations
There are two was to prevent duplicate workstations and it is a good idea to use both methods.
1) Configure Intruder Lockout on the container were the workstations are located (by default computers container already has Intruder Lockout)
2) Enable Wins to provide a notification and prevention of duplicate workstation names

Intruder Lockout
A way to prevent duplicate workstations from causing slow logins is to enforce Intruder Lockout for the machine accounts (workstation).

This would be done by enforcing a GPO that has the intruder lockout set to 5 or 6 invalid logins and reset interval of 1 hour at the domain level or computers container

Reference steps to enforce Intruder Lockout are as follows:
1. Right click the GPO and select 'Edit'.
2. In the new window , Go to Computer Configuration\Windows Settings\Security
Settings\Account Policies\Account Lockout Policy\
3. Set appropriate values 

Refer : http://technet.microsoft.com/en-us/library/cc781491(WS.10).aspx#BKMK_2

Wins Support
Another option that helps notify if a workstation with the same name exists in the domain when attempting to join a workstation to the domain is to enable wins support. 

In the [Global] section of the /etc/samba/smb.conf add
wins support = yes

The order or resolution can also be specified by using name resolve order.
wins support=yes
name resolve order = wins hosts bcast lmhost

Do this only one one DSfW server on the network.  Only one server can cache the WINS database per subnet or network because this database can not be replicated.
WINS is not routable so if there are two or more networks, enable one server per network or use the proxy option to forward WINS request.  Do NOT Enable Two or More Servers on the SAME Network or Subnet.
If there is a DSfW server on another network or subnet, wins proxy can be used.  The DSfW server on another network can forward any name resolution request to the wins server.
To do this add in the [Global] section of the smb.conf

wins server = <ip address of wins server>       #do not put <> around the ip address.
wins proxy = yes

For DSfW servers or samba servers that are not WINS servers on the same network, specify the WINS server in the [Global] section of the smb.conf

wins server = <ip address of wins server>      #do not put <> around the ip address.

For Novell Cifs add the wins server in the WINS IP Address parameter in the cifs configuration.

Additional Information

Decrypt integrity check failed can also be caused by the workstation password expiring, being reset on the workstation, but not on the workstation object.
To solve this simple rejoin the workstation to the domain.

If this because a routine issue for specific workstations the Automatic Machine Password Change can be disabled.
To disable the Automatic Machine Password Change:
  1. Start Registry Editor.  (Start,  Run, type regedit in the Open box)
  2.  Locate and then click the following registry subkey:
  3. In the right pane, click
       DisablePasswordChange entry.
  4. On the Edit menu, click Modify.
  5. In the Value data box, type a value of 1, and then click OK.
  6. Quit Registry Editor.

It is possible to increase the time between password changes as well.

Click on MaximumPasswordAge, Edit menu, modify and enter the desired days between a password expiration in days (decimal).  Default is 30 days.