"NT_STATUS_LOGON_FAILURE" seen in packet trace on DSfW Domain Controller

  • 7007424
  • 27-Dec-2010
  • 09-May-2013

Environment

Open Enterprise Server 11.1 (OES11 SP1)
Open Enterprise Server 2 SP3 (OES2 SP3)
Domain Services for Windows
DSfW

Situation

A server or workstation joined to the domain can no logger authenticate to the domain.
A packet trace on the Domain Controller shows NT_STATUS_LOGON_FAILURE. 
In the details of the request of the Kerberos AP-REQ the ticket name will look something like this:
cifs/DomainServer.novell.com 

Resolution

The problem is the request for the principal is in mixed case.  The principals created by default are either all uppercase or all lowercase. Since kerberos is case sensitive any deviation in the request for the principal will fail.
 
A new parameter has been added to setpassword to allow creation of mixed case principal names in the keytab. The new parameter is -E
You will need to be at the current code level to have this option. To verify if it is available you can use 'setpassword --help' and it will list all available parameters.
 
To creat a new keytab including the mixed case principals you will need to rename the existing /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
Create a new keytab with the following command. Substitute your server name in the -u paramenter and your mixed case server name(s) in the -E parameter. Be sure to include the $ at the end of the -u server name.

setpassword -NDSOf -r -E DomainServer -k /var/opt/novell/xad/ds/kerb5kdc/krb5.keytab -u DOMAINSERVER$
 
Example setting multiple mixed case names:

setpassword -NDSOf -r -E Domain-Server,domain-SERVER,DOMAIN-server -k /var/opt/novell/xad/ds/kerb5kdc/krb5.keytab -u DOMAINSERVER$

Set the permissions, owners, and create the symbolic link to /etc/krb5.keytab:

 chmod 640 /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
 chgrp named /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
 ln -sf /var/opt/novell/xad/ds/krb5kdc/krb5.keytab /etc