Environment
Novell Open Enterprise Server 2 SP2 (OES2 SP2)
Novell Open Enterprise Server 2 SP3 (OES2 SP3)
Novell Open Enterprise Server 11 (OES 11)
Novell Open Enterprise Server 11 SP1 (OES 11 SP1)
Domain Services for Windows
DSfW
Novell Open Enterprise Server 2 SP3 (OES2 SP3)
Novell Open Enterprise Server 11 (OES 11)
Novell Open Enterprise Server 11 SP1 (OES 11 SP1)
Domain Services for Windows
DSfW
Situation
xad-krb5kdc (Kerberos) fails to start
"Waiting for LDAP server to be ready ..." when starting kerberos
ldap a ndstrace with time, tags, ldap, and nmas enabled.
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Login Sequence IPCExternal not authorized for CN=DSFWServer.OU=Domain Controllers.O=novell
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: ERROR: -1680 User not authorized for requested login sequence "IPCExternal"
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: ERROR: -1680 CanDo
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Password Failure Time Attribute value count: 100
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Password Failure Time Attribute Value Count (100) exceeded Limit (100)
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Removing Password Failure Time Attribute Value 1345828667
"Waiting for LDAP server to be ready ..." when starting kerberos
ldap a ndstrace with time, tags, ldap, and nmas enabled.
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Login Sequence IPCExternal not authorized for CN=DSFWServer.OU=Domain Controllers.O=novell
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: ERROR: -1680 User not authorized for requested login sequence "IPCExternal"
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: ERROR: -1680 CanDo
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Password Failure Time Attribute value count: 100
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Password Failure Time Attribute Value Count (100) exceeded Limit (100)
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Removing Password Failure Time Attribute Value 1345828667
Resolution
The NMAS error 1680 means the login sequence being called is not authorized.
Log into iManager
In the roles and task section click on NMAS
Click on NMAS Login Sequences
Verify that IPCExternal is authorized, if not check the box beside the login sequence and click Authorize
Next modify the domain mapped container.
Click on the NMAS tab
Click on the Login Sequences sub tab
Verify that IPCExternal is authorized, if not check the box beside the login sequence and click Authorize
Do the same for the Domain Controllers container and OESSystemObjects container.
Other sequences that should be authorized are GSSAPI, Kerberos, and NDS
Log into iManager
In the roles and task section click on NMAS
Click on NMAS Login Sequences
Verify that IPCExternal is authorized, if not check the box beside the login sequence and click Authorize
Next modify the domain mapped container.
Click on the NMAS tab
Click on the Login Sequences sub tab
Verify that IPCExternal is authorized, if not check the box beside the login sequence and click Authorize
Do the same for the Domain Controllers container and OESSystemObjects container.
Other sequences that should be authorized are GSSAPI, Kerberos, and NDS
Cause
The IPCExternal login sequence was not authorized
Additional Information
For instructions on taking a ndstrace follow TID 7009602
Key points in the TID
Make sure the screen level is set to "Operation| Connection| Config| Extensions| Error| Critical| DataConnection" or to "all"
Example:
ldapconfig -s "ldap screen level= Operation| Connection| Config| Extensions| Error| Critical| DataConnection"
Key points in the TID
Make sure the screen level is set to "Operation| Connection| Config| Extensions| Error| Critical| DataConnection" or to "all"
Example:
ldapconfig -s "ldap screen level= Operation| Connection| Config| Extensions| Error| Critical| DataConnection"
Start the trace
ndstrace # brings up the ndstrace utility
ndstrace # brings up the ndstrace utility
set dstrace = nodebug # Clear the filter
dstrace NMAS LDAP TIME TAGS AUTH #Enable the LDAP, NMAS, TIME, TAGS, and AUTH.
set ndstrace = *r # Clear the log or rename the /var/opt/novell/eDirectory/log/ndstrace.log
ndstrace = on # Start the logging and execute your command or task
set ndstrace = off # This will stop logging after starting kerberos (rcxad-krb5kdc)
quit # Exit ndstrace
The default location for the trace file is /var/opt/novell/eDirectory/log/ndstrace.log
quit # Exit ndstrace
The default location for the trace file is /var/opt/novell/eDirectory/log/ndstrace.log