Environment
Novell Open Enterprise Server OES11.2 (OES 11SP2)
Novell Open Enterprise Server OES11.1 (OES 11SP1)
Novell Open Enterprise Server OES11 (OES 11)
Novell Open Enterprise Server 2SP3 (OES 2SP3)Domain Services for Windows
DSFW
DSFW
Situation
Slow logins
Logins taking several minutes instead of seconds
Logins taking several minutes instead of seconds
Users cannot authenticate after 5 minutes
kdc.log show following message
preauth verify failure: Decrypt integrity check failed
The next line will show the ip address and workstation name
AS_REQ <ip address> PREAUTH_FAILED: <workstation name@domain name> for krbtgt/domain name
Preauthentication failed
/var/log/messages shows "winbindd: Exceeding 200 client connections, no idle connection found"
Two or more workstations joined to the DSfW domain with the same name
kdc.log show following message
preauth verify failure: Decrypt integrity check failed
The next line will show the ip address and workstation name
AS_REQ <ip address> PREAUTH_FAILED: <workstation name@domain name> for krbtgt/domain name
Preauthentication failed
Resolution
Decrypt integrity check failed usually means the encryption key does not match the key stored in the KDC for a principal. In short the passwords do not match.
In the kdc.log search for Decrypt integrity check
The next line should should have an AS_REQ. In the line look for the ip address and workstation name.
A workstation can be identified by a $ after the name and before the @domain name.
Example:
amber$@novell.com
Remove the workstation from the domain and before re-joining the domain change the workstation name to a unique name.
A simple way to find decrypt integrity check errors, sort, and number the errors do the following search in a terminal
grep -A1 -i 'Decrypt integrity check failed' /var/opt/novell/xad/log/kdc.log |grep -v 'Decrypt integrity check failed' |awk -F ')' '{print $3}' |grep -v '^$' |awk -F 'for' '{print $1}' |sort -n | uniq -c | sort -n | sed -e s/PREAUTH_FAILED:/BAD_PASSWORD:/g
If the output is needed in a text file send the output to a file by added > file.txt to the end of the command.
Moved workstations or workstations no located in the CN=Computers container
If a workstation is not located in the CN=Computers container, the Default Password Policy must be assigned to the container. The Default Password Policy is located in the cn=Password Policies,cn=System,<domain mapped container>
To add the Default Password Policy open iManager. Either browse to the Default Password Policy object and modify it or use the Passwords role. If using the Password role change the container to search for password policies to the Password Policies.system.<container> in the "Search for password policies in the following container:" field.
Click on the assignments tab in the Default Password Policy and assign the the container were the workstations are located.
IMPORTANT - workstations and computers should not be in the same container.
The only modifications that should be done to the Default Password Policy is the assignments. Changing the password length, case sensitivity, etc will inhibit workstations from joining the domain.
Ways to prevent duplicate workstations
There are two was to prevent duplicate workstations and it is a good idea to use both methods.
1) Configure Intruder Lockout on the container were the workstations are located (by default computers container already has Intruder Lockout)
2) Enable Wins to provide a notification and prevention of duplicate workstation names
Intruder Lockout
A way to prevent duplicate workstations from causing slow logins is to enforce Intruder Lockout for the machine accounts (workstation).
This would be done by enforcing a GPO that has the intruder lockout set to 5 or 6 invalid logins and reset interval of 1 hour at the domain level or computers container
Reference steps to enforce Intruder Lockout are as follows:
1. Right click the GPO and select 'Edit'.
2. In the new window , Go to Computer Configuration\Windows Settings\Security
Settings\Account Policies\Account Lockout Policy\
3. Set appropriate values
Refer : http://technet.microsoft.com/en-us/library/cc781491(WS.10).aspx#BKMK_2
Wins Support
Another option that helps notify if a workstation with the same name exists in the domain when attempting to join a workstation to the domain is to enable wins support.
In the [Global] section of the /etc/samba/smb.conf add
In the [Global] section of the /etc/samba/smb.conf add
wins support = yes
The order or resolution can also be specified by using name resolve order.
example:
wins support=yes
name resolve order = wins hosts bcast lmhost
Do this only one one DSfW server on the network. Only one server can cache the WINS database per subnet or network because this database can not be replicated.
WINS is not routable so if there are two or more networks, enable one server per network or use the proxy option to forward WINS request. Do NOT Enable Two or More Servers on the SAME Network or Subnet.
If there is a DSfW server on another network or subnet, wins proxy can be used. The DSfW server on another network can forward any name resolution request to the wins server.
To do this add in the [Global] section of the smb.conf
wins server = <ip address of wins server> #do not put <> around the ip address.
wins proxy = yes
For DSfW servers or samba servers that are not WINS servers on the same network, specify the WINS server in the [Global] section of the smb.conf
wins server = <ip address of wins server> #do not put <> around the ip address.
For Novell Cifs add the wins server in the WINS IP Address parameter in the cifs configuration.
Additional Information
Decrypt integrity check failed can also be caused by the workstation password expiring, being reset on the workstation, but not on the workstation object.
To solve this simple rejoin the workstation to the domain.
If this because a routine issue for specific workstations the Automatic Machine Password Change can be disabled.
To disable the Automatic Machine Password Change:
To solve this simple rejoin the workstation to the domain.
If this because a routine issue for specific workstations the Automatic Machine Password Change can be disabled.
To disable the Automatic Machine Password Change:
- Start Registry Editor. (Start, Run, type regedit in the Open box)
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters - In the right pane, click
DisablePasswordChange entry. - On the Edit menu, click Modify.
- In the Value data box, type a value of 1, and then click OK.
- Quit Registry Editor.
It is possible to increase the time between password changes as well.
Click on MaximumPasswordAge, Edit menu, modify and enter the desired days between a password expiration in days (decimal). Default is 30 days.