Unable to issue tickets on DSfW domain controller after upgrade to OES2 SP3

  • 7009972
  • 10-Jan-2012
  • 27-Apr-2012

Environment

Novell Open Enterprise Server 2 SP3 (OES2SP3)
Novell Open Enterprise Server 11 (OES11)
Domain Services for Windows

Situation

- DSfW domain controller upgraded from OES2 SP1 or OES2 SP2 to OES2 SP3

- The Provisioning wizard failed during the domain samification operation and this task was skipped to complete the upgrade

- Before the upgrade, the KDC was able to issue tickets but after the upgrade, kinit commands for all principals failing with following error

kinit Administrator@NTS.COM
ERROR: Server not found in Kerberos database

- LAN traces show all kerberos ticket issue requests failing with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

Resolution

One cause for this problem is that the domain samification failed before the "krbtgt" account was samified. This can be confirmed by browsing to the"krbtgt" User object in iMonitor and verifying that the "uniquedomainid" attribute does not exist exist OR if the following ldapsearch does not return any result.

LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Q -Y EXTERNAL  -b cn=Users,dc=<domain name>,dc=<domain suffix> -s one"(&(Objectclass=User)(samAccountName=krbtgt))" dn -LLL

To resolve this problem, follow the steps listed below

LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapmodify -Q -Y EXTERNAL
dn: cn=krbtgt,cn=users,dc=<domain name>,dc=<domain suffix>
add: description
description: <any text>
-
dn: cn=krbtgt,cn=users,dc=<domain name>,dc=<domain suffix>
delete: description
description: <same as the above text>

(Adding and Removing 'Description' attribute triggers ADPH process to touch the user, and therefore uniquedomainid attribute is populated in the user's attribute list.)

2. Rerunning ldapsearch command to confirm that krbtgt user is populated with uniqueDomainID attribute. So the following command should return the user this time.

LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Q -Y EXTERNAL  -b cn=Users,dc=<domain name>,dc=<domain suffix> -s one"(&(samAccountName=krbtgt)(Objectclass=User))" dn -LLL

3. Verify that Kerberos is once again able to issue tickets for the domain using the "kinit" command.

4. Running samify command on DSfW partitions in the upgraded server, to samify users left out in the upgrade process.

kinit Administrator
domaincntrl --samify



Additional Information

With the November Maintenance Patch of 2011, OES2SP3 Domains require all samified objects to have the uniquedomainid as well.  If  the krbtgt or domain controller object located in the ou=domain controller or the container were the domain is mapped to do not have the samaccount name and uniquedomainid attribute, the Kerberos will not start or will not remain running after starting.