Can not create a linked clone "You might not have permissions to use this network resource"

  • 7008593
  • 16-May-2011
  • 27-Apr-2012

Environment

Novell Open Enterprise Server 2 SP2 (OES 2SP2)
Novell Open Enterprise Server 2 SP3 (OES 2SP3)
Domain Services for Windows
DSFW
VMware View 4.6

Situation

Vmware View linked clones with Quickprep process fails "You might not have permissions to use this netowrk resource"

Can not create a linked clone "You might not have permissions to use this network resource"

The computer object never gets created.
Can not create a computer object manually with mmc.
Workstations can be joined to the domain manually (not using VMware composer)

Resolution

 If a computer object can not be create check the kdc.log and take a ndstrace.

The /var/opt/novell/xad/log/kdc.log shows the following when a workstation is created:
May 11 10:31:12 novell-ads1 krb5kdc[18664](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.0.3: CLIENT_NOT_FOUND: test1$@novell.com for krbtgt/novell.com@novell.com, Client not found in Kerberos database
An easy way to search is to grep the for the workstation being created.
grep -i test1 /var/opt/novell/xad/log/kdc.log

 To verify the occurrence of this issue run ndstrace with the following option
Enable screen options:
ldapconfig -s "ldap screen level=all" 
restart nldap:
nldap -u
nldap -l
Enable ndstrace options:
"set ndstrace=nodebug, ndstrace +time, ndstrace +ldap, ndstrace +misc ndstrace screen on"
The error message is as follows:

3063749536 MISC: [2011/05/11 10:31:12.851] FixObjectClass: Object Class has .ndsLoginProperties.[Class Definitions].[Schema Root]
3063749536 MISC: [2011/05/11 10:31:12.851] FixObjectClass: more than one effective class, unable to determine baseclass failed, object class violation (-628)

MMC will not create objects where a superclass is listed twice.  An objectclass can have a superclass listed twice through inheritance. The most common example is Top.

 Say the objectclass of Person has a superclass of top and ndsLoginProperties.  Because ndsLoginProperties has Top listed as a superclass Person will receive Top two times, once as a direct assignment and a second time through inheritance.
 
Computer objects have a base class of msDS-Computer.
In the case of msDS-Computer the superclass is User.  
User has a superclass of Organizational Person
Organizational Person has a super class of Person.  
Person has a superclass of ndsLoginProperites
ndsLoginproperties has a superclass of Top.  
If Top is assigned to Person, or Organizational Person, or User, or msDS-Computer the creation of msDS-Computer will fail. 

You can use iMonitor to verify that only one superclass is assigned to the objectclass msDS-Computer.
Verify each superclass listed only has one superclass.  Follow the chain until you get to Top.
If any of the objectclasses listed has Top listed along with another objectclass a dialin from Novell Support will be required.