Environment
Novell Open Enterprise Server 11 SP2 (OES 11 SP2)
Novell Open Enterprise Server 11 SP1 (OES 11 SP1)
Novell Open Enterprise Server 2 SP3 (OES 2SP3)
Domain Services for Windows
DSfW
Situation
Kerberos fails to start on a DSfW server
LDAP Group object was deleted on a DSfW server
LDAP Server object was deleted on a DSfW server
LDAP Group object was deleted on a DSfW server
LDAP Server object was deleted on a DSfW server
Resolution
On the LDAP Server object add the following ldapInterfaces:
ldapInterfaces: ldaps://:1636
ldapInterfaces: ldap://:1389
ldapInterfaces: ldap://:389 ldaps://:636 ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi cldap:// ldap://:3268 ldaps://:3269
iManager or ldapconfig can be used to add the ldapInterfaces.
For iManager edit the DSfW LDAP Server object | connections | LDAP Interfaces | click the + sign and add each of these three lines:
ldaps://:1636
ldap://:1389
ldap://:389 ldaps://:636 ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi cldap:// ldap://:3268 ldaps://:3269
Click Apply
Click the Information tab
Click Refresh to refresh the ldap server.
The changes should now be applied and the DSfW services can be restarted (xadntrl reload)
For ldapconfig do the following. At the "User FDN:" prompt enter an admin user in .x500 format, example admin.novell or use the -a switch
ldaps://:1636
ldap://:1389
ldap://:389 ldaps://:636 ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi cldap:// ldap://:3268 ldaps://:3269
Click Apply
Click the Information tab
Click Refresh to refresh the ldap server.
The changes should now be applied and the DSfW services can be restarted (xadntrl reload)
For ldapconfig do the following. At the "User FDN:" prompt enter an admin user in .x500 format, example admin.novell or use the -a switch
ldapconfig -s "ldapinterfaces=ldaps://:1636" -a admin.novell
ldapconfig -s "ldapinterfaces=ldap://:1389" -a admin.novell
ldapconfig -s "ldapinterfaces=ldap://:389 ldaps://:636 ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi cldap:// ldap://:3268 ldaps://:3269" -a admin.novell
Now add the extensions to the LDAP Server object and the mappings to the LDAP Group object.
For this there are two options, run the provision_config_slapi.pl task or manually edit the LDAP options either using the ldif files or using iManager.
Using /opt/novell/xad/share/dcinit/provision/provision_config_slapi.pl task
First export the NDSEXISTINGADMINPASSWD and ADM_PASSWD with tree admin credentials
export ADM_PASSWD=current domain password, usually Administrator
export NDSEXISTINGADMINPASSWD=tree domain password, usually admin
Then run /opt/novell/xad/share/dcinit/provision/provision_config_slapi.pl
For the ldif option, the two ldif files that will be needed are located in /var/opt/novell/xad/ds/domain/
nldap-delete-classlist.ldif
nldap.ldif
nldap.ldif
The nldap-delete-classlist.ldif deletes two class mappings
Below is an example of what this file should look like. Other than the server name and context the file should appear as this:
dn: CN=LDAP Group - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
control: 1.2.840.113556.1.4.1413
changetype: modify
delete: ldapClassList
ldapClassList: NDSName=User$LDAPNames=inetOrgPerson
ldapClassList: NDSName=Group$LDAPNames=groupOfNames\24groupOfUniqueNames\24group
This nldap-delete-classlist.ldif is ready as is to modiy the ldap group object.
nldap.ldif needs to have just the ldap server and ldap group information copied and placed in new ldif file called ldapobjects.ldif.
Example of what should be copied to ldapGroupObject.ldif:
dn: CN=LDAP Group - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
control: 1.2.840.113556.1.4.1413
changetype: modify
add: ldapClassList
ldapClassList: NDSName=User$LDAPNames=user\24inetOrgPerson
ldapClassList: NDSName=Group$LDAPNames=group\24groupOfNames\24groupOfUniqueNames
ldapClassList: NDSName=Computer$LDAPNames=ndsComputer
ldapClassList: NDSName=mSDS:Computer$LDAPNames=computer
ldapClassList: NDSName=dmd$LDAPNames=ndsDmd
ldapClassList: NDSName=mSDS:DMD$LDAPNames=dMD
ldapClassList: NDSName=server$LDAPNames=ndsServer
ldapClassList: NDSName=mSDS:Server$LDAPNames=server
ldapClassList: NDSName=volume$LDAPNames=ndsVolume
ldapClassList: NDSName=mSDS:Volume$LDAPNames=volume
ldapClassList: NDSName=rRASAdministrationConnectionPoin$LDAPNames=rRASAdministrationConnectionPoint
-
add: ldapAttributeList
ldapAttributeList: NDSName=homeDirectory$LDAPNames=unixHomeDirectory
ldapAttributeList: NDSName=mSDS:HomeDirectory$LDAPNames=homeDirectory
ldapAttributeList: NDSName=homePostalAddress$LDAPNames=ndshomePostalAddress
ldapAttributeList: NDSName=msds:homePostalAddress$LDAPNames=homePostalAddress
ldapAttributeList: NDSName=mS-SQL-AllowAnonymousSubscriptio$LDAPNames=mS-SQL-AllowAnonymousSubscription
ldapAttributeList: NDSName=mS-SQL-AllowImmediateUpdatingSub$LDAPNames=mS-SQL-AllowImmediateUpdatingSubscription
ldapAttributeList: NDSName=mS-SQL-AllowKnownPullSubscriptio$LDAPNames=mS-SQL-AllowKnownPullSubscription
ldapAttributeList: NDSName=mS-SQL-AllowQueuedUpdatingSubscr$LDAPNames=mS-SQL-AllowQueuedUpdatingSubscription
ldapAttributeList: NDSName=mS-SQL-AllowSnapshotFilesFTPDown$LDAPNames=mS-SQL-AllowSnapshotFilesFTPDownloading
ldapAttributeList: NDSName=msDS-Cached-Membership-Time-Stam$LDAPNames=msDS-Cached-Membership-Time-Stamp
ldapAttributeList: NDSName=msDS-Non-Security-Group-Extra-Cl$LDAPNames=msDS-Non-Security-Group-Extra-Classes
ldapAttributeList: NDSName=msDS-Replication-Notify-First-DS$LDAPNames=msDS-Replication-Notify-First-DSA-Delay
ldapAttributeList: NDSName=msDS-Replication-Notify-Subseque$LDAPNames=msDS-Replication-Notify-Subsequent-DSA-Delay
ldapAttributeList: NDSName=msDS-Security-Group-Extra-Classe$LDAPNames=msDS-Security-Group-Extra-Classes
ldapAttributeList: NDSName=msDS-User-Account-Control-Comput$LDAPNames=msDS-User-Account-Control-Computed
ldapAttributeList: NDSName=msPKI-Certificate-Application-Po$LDAPNames=msPKI-Certificate-Application-Policy
ldapAttributeList: NDSName=ms-net-ieee-80211-GP-PolicyReser$LDAPNames=ms-net-ieee-80211-GP-PolicyReserved
ldapAttributeList: NDSName=ms-net-ieee-8023-GP-PolicyReser$LDAPNames=ms-net-ieee-8023-GP-PolicyReserved
ldapAttributeList: NDSName=dNSHostName$LDAPNames=dNSHostName
ldapAttributeList: NDSName=name$LDAPNames=name
dn: CN=LDAP Server - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
changetype: modify
add: extensionInfo
extensionInfo: 0#object#nad_object_init#nad-plugin
extensionInfo: 1#object#subschema_object_init#subschema-plugin
extensionInfo: 2#preoperation#crossref_preop_init#crossref-plugin
extensionInfo: 3#object#anr_object_init#anr-plugin
extensionInfo: 4#object#tokengroups_object_init#tokengroups-plugin
extensionInfo: 5#extendedop#netlogon_extop_init#netlogon-plugin
extensionInfo: 6#object#ntacl_object_init#ntacl-plugin
extensionInfo: 7#extendedop#whoami_extop_init#whoami-plugin
extensionInfo: 8#object#dsearch_object_init#dsearch-plugin
If needed take the example from above and change the name of the server and context to reflect that of your server. Example of what to replace is in bold:
CN=LDAP Group - OES11-DSFW1,ou=OESSystemObjects,o=novell
CN=LDAP Server - OES11-DSFW1,ou=OESSystemObjects,o=novell
Add ldap extensions to the LDAP Server Object using an ldif if only recreating the LDAP Server Object. This information is in the nldap.ldif file.
Below is an example of what this file should look like. Other than the server name and context the file should appear as this:
dn: CN=LDAP Group - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
control: 1.2.840.113556.1.4.1413
changetype: modify
delete: ldapClassList
ldapClassList: NDSName=User$LDAPNames=inetOrgPerson
ldapClassList: NDSName=Group$LDAPNames=groupOfNames\24groupOfUniqueNames\24group
This nldap-delete-classlist.ldif is ready as is to modiy the ldap group object.
nldap.ldif needs to have just the ldap server and ldap group information copied and placed in new ldif file called ldapobjects.ldif.
Example of what should be copied to ldapGroupObject.ldif:
dn: CN=LDAP Group - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
control: 1.2.840.113556.1.4.1413
changetype: modify
add: ldapClassList
ldapClassList: NDSName=User$LDAPNames=user\24inetOrgPerson
ldapClassList: NDSName=Group$LDAPNames=group\24groupOfNames\24groupOfUniqueNames
ldapClassList: NDSName=Computer$LDAPNames=ndsComputer
ldapClassList: NDSName=mSDS:Computer$LDAPNames=computer
ldapClassList: NDSName=dmd$LDAPNames=ndsDmd
ldapClassList: NDSName=mSDS:DMD$LDAPNames=dMD
ldapClassList: NDSName=server$LDAPNames=ndsServer
ldapClassList: NDSName=mSDS:Server$LDAPNames=server
ldapClassList: NDSName=volume$LDAPNames=ndsVolume
ldapClassList: NDSName=mSDS:Volume$LDAPNames=volume
ldapClassList: NDSName=rRASAdministrationConnectionPoin$LDAPNames=rRASAdministrationConnectionPoint
-
add: ldapAttributeList
ldapAttributeList: NDSName=homeDirectory$LDAPNames=unixHomeDirectory
ldapAttributeList: NDSName=mSDS:HomeDirectory$LDAPNames=homeDirectory
ldapAttributeList: NDSName=homePostalAddress$LDAPNames=ndshomePostalAddress
ldapAttributeList: NDSName=msds:homePostalAddress$LDAPNames=homePostalAddress
ldapAttributeList: NDSName=mS-SQL-AllowAnonymousSubscriptio$LDAPNames=mS-SQL-AllowAnonymousSubscription
ldapAttributeList: NDSName=mS-SQL-AllowImmediateUpdatingSub$LDAPNames=mS-SQL-AllowImmediateUpdatingSubscription
ldapAttributeList: NDSName=mS-SQL-AllowKnownPullSubscriptio$LDAPNames=mS-SQL-AllowKnownPullSubscription
ldapAttributeList: NDSName=mS-SQL-AllowQueuedUpdatingSubscr$LDAPNames=mS-SQL-AllowQueuedUpdatingSubscription
ldapAttributeList: NDSName=mS-SQL-AllowSnapshotFilesFTPDown$LDAPNames=mS-SQL-AllowSnapshotFilesFTPDownloading
ldapAttributeList: NDSName=msDS-Cached-Membership-Time-Stam$LDAPNames=msDS-Cached-Membership-Time-Stamp
ldapAttributeList: NDSName=msDS-Non-Security-Group-Extra-Cl$LDAPNames=msDS-Non-Security-Group-Extra-Classes
ldapAttributeList: NDSName=msDS-Replication-Notify-First-DS$LDAPNames=msDS-Replication-Notify-First-DSA-Delay
ldapAttributeList: NDSName=msDS-Replication-Notify-Subseque$LDAPNames=msDS-Replication-Notify-Subsequent-DSA-Delay
ldapAttributeList: NDSName=msDS-Security-Group-Extra-Classe$LDAPNames=msDS-Security-Group-Extra-Classes
ldapAttributeList: NDSName=msDS-User-Account-Control-Comput$LDAPNames=msDS-User-Account-Control-Computed
ldapAttributeList: NDSName=msPKI-Certificate-Application-Po$LDAPNames=msPKI-Certificate-Application-Policy
ldapAttributeList: NDSName=ms-net-ieee-80211-GP-PolicyReser$LDAPNames=ms-net-ieee-80211-GP-PolicyReserved
ldapAttributeList: NDSName=ms-net-ieee-8023-GP-PolicyReser$LDAPNames=ms-net-ieee-8023-GP-PolicyReserved
ldapAttributeList: NDSName=dNSHostName$LDAPNames=dNSHostName
ldapAttributeList: NDSName=name$LDAPNames=name
dn: CN=LDAP Server - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
changetype: modify
add: extensionInfo
extensionInfo: 0#object#nad_object_init#nad-plugin
extensionInfo: 1#object#subschema_object_init#subschema-plugin
extensionInfo: 2#preoperation#crossref_preop_init#crossref-plugin
extensionInfo: 3#object#anr_object_init#anr-plugin
extensionInfo: 4#object#tokengroups_object_init#tokengroups-plugin
extensionInfo: 5#extendedop#netlogon_extop_init#netlogon-plugin
extensionInfo: 6#object#ntacl_object_init#ntacl-plugin
extensionInfo: 7#extendedop#whoami_extop_init#whoami-plugin
extensionInfo: 8#object#dsearch_object_init#dsearch-plugin
If needed take the example from above and change the name of the server and context to reflect that of your server. Example of what to replace is in bold:
CN=LDAP Group - OES11-DSFW1,ou=OESSystemObjects,o=novell
CN=LDAP Server - OES11-DSFW1,ou=OESSystemObjects,o=novell
Add ldap extensions to the LDAP Server Object using an ldif if only recreating the LDAP Server Object. This information is in the nldap.ldif file.
In the example below modify the dn: line with the correct ldap server name and context keeping the rest of the information.
Now that we have the two ldif files, use ldapmodify to import them.
Once the ldapInterfaces are set, kerberos should start. Validate that the services are running (xadcntrl validate). If not restart all DSfW services (xadcntrl reload) and verify all DSfW services are running.
Once all services are running you can use ldapmodify to import the ldifs.
Example of the ldapServerObject.ldif:
dn: CN=LDAP Server - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
changetype: modify
add: extensionInfo
extensionInfo: 0#object#nad_object_init#nad-plugin
extensionInfo: 1#object#subschema_object_init#subschema-plugin
extensionInfo: 2#preoperation#crossref_preop_init#crossref-plugin
extensionInfo: 3#object#anr_object_init#anr-plugin
extensionInfo: 4#object#tokengroups_object_init#tokengroups-plugin
extensionInfo: 5#extendedop#netlogon_extop_init#netlogon-plugin
extensionInfo: 6#object#ntacl_object_init#ntacl-plugin
extensionInfo: 7#extendedop#whoami_extop_init#whoami-plugin
extensionInfo: 8#object#dsearch_object_init#dsearch-plugin
control: 1.2.840.113556.1.4.1339
changetype: modify
add: extensionInfo
extensionInfo: 0#object#nad_object_init#nad-plugin
extensionInfo: 1#object#subschema_object_init#subschema-plugin
extensionInfo: 2#preoperation#crossref_preop_init#crossref-plugin
extensionInfo: 3#object#anr_object_init#anr-plugin
extensionInfo: 4#object#tokengroups_object_init#tokengroups-plugin
extensionInfo: 5#extendedop#netlogon_extop_init#netlogon-plugin
extensionInfo: 6#object#ntacl_object_init#ntacl-plugin
extensionInfo: 7#extendedop#whoami_extop_init#whoami-plugin
extensionInfo: 8#object#dsearch_object_init#dsearch-plugin
Now that we have the two ldif files, use ldapmodify to import them.
Once the ldapInterfaces are set, kerberos should start. Validate that the services are running (xadcntrl validate). If not restart all DSfW services (xadcntrl reload) and verify all DSfW services are running.
Once all services are running you can use ldapmodify to import the ldifs.
- ldapmodify -x -H ldaps:// -D cn=admin,o=context -W -Q -f /var/opt/novell/xad/ds/domain/nldap-delete-classlist.ldif
for user user (-D) enter the appropriate username and context - ldapmodify -x -H ldaps:// -D cn=admin,o=context -W -Q -f /var/opt/novell/xad/ds/domain/ldapGroupObjects.ldif
for user user (-D) enter the appropriate username and context - ldapmodify -x -H ldaps:// -D cn=admin,o=context -W -Q -f /var/opt/novell/xad/ds/domain/ldapServerObjects.ldif
for user user (-D) enter the appropriate username and context
Stop and restart nldap by either using the refresh option in iManager on the LDAP server object or restart all DSfW services or at the command line do
nldap -u
nldap -l
Both the LDAP Server and LDAP Group Object should be properly configured.
Cause
If the LDAP Server object is deleted the ldap interfaces specific for DSfW in order to function as a Domain Controller will be lost thus causing kerberos to fail to start since part of the start up process is doing a base search on the root DSE
"ldapsearch -Y EXTERNAL -b "" -s base"
The ldap interfaces have to be specified, specifically for ldapi (ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi)
The Class and Attribute mappings on a DSfW server are also modified to reflect the configuration in AD along with the proper LDAP extentions on the LDAP Server object. If the LDAP Group object is deleted and recreated the mappings are lost have must be re-applied. Same with the LDAP extensions on the LDAP Server object.
"ldapsearch -Y EXTERNAL -b "" -s base"
The ldap interfaces have to be specified, specifically for ldapi (ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi)
The Class and Attribute mappings on a DSfW server are also modified to reflect the configuration in AD along with the proper LDAP extentions on the LDAP Server object. If the LDAP Group object is deleted and recreated the mappings are lost have must be re-applied. Same with the LDAP extensions on the LDAP Server object.
Additional Information
If only the LDAP Server object is deleted open the nldap.ldif and only copy the LDAP Server section to the ldapServerObjects.ldif
Example of the ldapServerObjects.ldif:
dn: CN=LDAP Server - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
changetype: modify
add: extensionInfo
extensionInfo: 0#object#nad_object_init#nad-plugin
extensionInfo: 1#object#subschema_object_init#subschema-plugin
extensionInfo: 2#preoperation#crossref_preop_init#crossref-plugin
extensionInfo: 3#object#anr_object_init#anr-plugin
extensionInfo: 4#object#tokengroups_object_init#tokengroups-plugin
extensionInfo: 5#extendedop#netlogon_extop_init#netlogon-plugin
extensionInfo: 6#object#ntacl_object_init#ntacl-plugin
extensionInfo: 7#extendedop#whoami_extop_init#whoami-plugin
extensionInfo: 8#object#dsearch_object_init#dsearch-plugin
control: 1.2.840.113556.1.4.1339
changetype: modify
add: extensionInfo
extensionInfo: 0#object#nad_object_init#nad-plugin
extensionInfo: 1#object#subschema_object_init#subschema-plugin
extensionInfo: 2#preoperation#crossref_preop_init#crossref-plugin
extensionInfo: 3#object#anr_object_init#anr-plugin
extensionInfo: 4#object#tokengroups_object_init#tokengroups-plugin
extensionInfo: 5#extendedop#netlogon_extop_init#netlogon-plugin
extensionInfo: 6#object#ntacl_object_init#ntacl-plugin
extensionInfo: 7#extendedop#whoami_extop_init#whoami-plugin
extensionInfo: 8#object#dsearch_object_init#dsearch-plugin
To fix only the interfaces download and run fix_ldap_objects script to fix this issue.