Environment
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Novell Open Enterprise Server 11 (OES11)
Domain Services for Windows
Novell Open Enterprise Server 11 (OES11)
Domain Services for Windows
Situation
- DSfW domain controller upgraded from OES2 SP1 or OES2 SP2 to OES2
SP3
- The Provisioning wizard failed during the domain samification operation and this task was skipped to complete the upgrade
- Before the upgrade, the KDC was able to issue tickets but after the upgrade, kinit commands for all principals failing with following error
kinit Administrator@NTS.COM
ERROR: Server not found in Kerberos database
- LAN traces show all kerberos ticket issue requests failing with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
- The Provisioning wizard failed during the domain samification operation and this task was skipped to complete the upgrade
- Before the upgrade, the KDC was able to issue tickets but after the upgrade, kinit commands for all principals failing with following error
kinit Administrator@NTS.COM
ERROR: Server not found in Kerberos database
- LAN traces show all kerberos ticket issue requests failing with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Resolution
One cause for this problem is that the domain samification failed
before the "krbtgt"
account was samified. This can be confirmed by browsing to the"krbtgt" User object
in iMonitor and verifying that the "uniquedomainid" attribute
does not exist exist OR if the following ldapsearch does not return
any result.
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Q -Y EXTERNAL -b cn=Users,dc=<domain name>,dc=<domain suffix> -s one"(&(Objectclass=User)(samAccountName=krbtgt))" dn -LLL
To resolve this problem, follow the steps listed below
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapmodify -Q -Y EXTERNAL
dn: cn=krbtgt,cn=users,dc=<domain name>,dc=<domain suffix>
add: description
description: <any text>
-
dn: cn=krbtgt,cn=users,dc=<domain name>,dc=<domain suffix>
delete: description
description: <same as the above text>
(Adding and Removing 'Description' attribute triggers ADPH process to touch the user, and therefore uniquedomainid attribute is populated in the user's attribute list.)
2. Rerunning ldapsearch command to confirm that krbtgt user is populated with uniqueDomainID attribute. So the following command should return the user this time.
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Q -Y EXTERNAL -b cn=Users,dc=<domain name>,dc=<domain suffix> -s one"(&(samAccountName=krbtgt)(Objectclass=User))" dn -LLL
3. Verify that Kerberos is once again able to issue tickets for the domain using the "kinit" command.
4. Running samify command on DSfW partitions in the upgraded server, to samify users left out in the upgrade process.
kinit Administrator
domaincntrl --samify
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Q -Y EXTERNAL -b cn=Users,dc=<domain name>,dc=<domain suffix> -s one"(&(Objectclass=User)(samAccountName=krbtgt))" dn -LLL
To resolve this problem, follow the steps listed below
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapmodify -Q -Y EXTERNAL
dn: cn=krbtgt,cn=users,dc=<domain name>,dc=<domain suffix>
add: description
description: <any text>
-
dn: cn=krbtgt,cn=users,dc=<domain name>,dc=<domain suffix>
delete: description
description: <same as the above text>
(Adding and Removing 'Description' attribute triggers ADPH process to touch the user, and therefore uniquedomainid attribute is populated in the user's attribute list.)
2. Rerunning ldapsearch command to confirm that krbtgt user is populated with uniqueDomainID attribute. So the following command should return the user this time.
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Q -Y EXTERNAL -b cn=Users,dc=<domain name>,dc=<domain suffix> -s one"(&(samAccountName=krbtgt)(Objectclass=User))" dn -LLL
3. Verify that Kerberos is once again able to issue tickets for the domain using the "kinit" command.
4. Running samify command on DSfW partitions in the upgraded server, to samify users left out in the upgrade process.
kinit Administrator
domaincntrl --samify
Additional Information
With the November Maintenance Patch of 2011, OES2SP3 Domains require all samified objects to have the uniquedomainid as well. If the krbtgt or domain controller object located in the ou=domain controller or the container were the domain is mapped to do not have the samaccount name and uniquedomainid attribute, the Kerberos will not start or will not remain running after starting.