xadsd: [NETLOGON] Workstation failed to authenticate: 0xc0000022

  • 7014322
  • 18-Dec-2013
  • 22-Jul-2014

Environment

Novell Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSFW

Situation

Citrix member server is not able to retrieve a license from the Citrix License server. 

/var/log/messages shows:
xadsd: [NETLOGON] Workstation CITRIX-LICENSE-SERVER failed to authenticate: 0xc0000022
xadsd: [NETLOGON] CTIRX-LICENSE-SERVER opened secure channel
xadsd: [NETLOGON] NetrLogonGetDomainInfo: Insufficient access
Additionally ndsd may become unresponsive or even crash when the error messages is seen every few seconds in the messages log.

Resolution

Take a LDAP/NMAS to verify the computer is authenticating to the domain.  Use screen options of + time +tags +auth +ldap +nmas +dbg +svty +recm
See TID 7009602 for more information on LDAP/NMAS traces.

If the computer does not authenticate, re-join the computer to the domain or reset the computers password.

In this case the Citrix License server authenticates to the domain as seen in a NMAS trace:
2203100928 NMAS: [2013/12/16 17:47:09.327] INFO: 1835235: Found login sequence IPCExternal for proxy client
2203100928 NMAS: [2013/12/16 17:47:09.327] INFO: 1835235: NMAS Audit with Audit PA not installed
2203100928 NMAS: [2013/12/16 17:47:09.327] INFO: 1835235: NMAS Audit with XDAS not installed
2203100928 NMAS: [2013/12/16 17:47:09.327] INFO: 1835235: NMAS Client supplied user DN CN=CITRIX-LICENSE.CN=Computers.O=NOVELL
2203100928 NMAS: [2013/12/16 17:47:09.328] INFO: 1835235: Create thread request
2203100928 NMAS: [2013/12/16 17:47:09.328] INFO: 1835235: Using thread 0x4f96e70
2203100928 NMAS: [2013/12/16 17:47:09.328] INFO: 1835235: Server thread started
2203100928 NMAS: [2013/12/16 17:47:09.328] INFO: 1835235: Proxy client started local server session
2203100928 NMAS: [2013/12/16 17:47:09.328] INFO: 1835235: NMAS Audit with Audit PA not installed
2203100928 NMAS: [2013/12/16 17:47:09.328] INFO: 1835235: NMAS Audit with XDAS not installed
2189272832 NMAS: [2013/12/16 17:47:09.328] INFO: 1835235: Pool thread 0x4f96e70 awake with new work
2227463936 NMAS: [2013/12/16 17:47:09.329] INFO: 1835236: Client Session Destroy Request
2227463936 NMAS: [2013/12/16 17:47:09.329] INFO: 1835236: Local Session Cleared (Not Destroyed)
2227463936 LDAP: [2013/12/16 17:47:09.329] INFO: Connection 0x6d74910 closed
2189272832 NMAS: [2013/12/16 17:47:09.329] INFO: 1835235: NMAS Audit with Audit PA not installed
2189272832 NMAS: [2013/12/16 17:47:09.329] INFO: 1835235: NMAS Audit with XDAS not installed
2189272832 NMAS: [2013/12/16 17:47:09.329] INFO: 1835235: CanDo
2189272832 NMAS: [2013/12/16 17:47:09.329] INFO: 1835235: No client network address
2189272832 NMAS: [2013/12/16 17:47:09.329] INFO: 1835235: Selected requested login sequence == "IPCExternal"
2189272832 NMAS: [2013/12/16 17:47:09.330] INFO: 1835235: Login Method 0x000002B1
2189272832 NMAS: [2013/12/16 17:47:09.330] INFO: 1835235: Begin Server Module 0x000002B1
2189272832 NMAS: [2013/12/16 17:47:09.330] INFO: 1835235: Server Module 0x000002B1 Write 
2189272832 NMAS: [2013/12/16 17:47:09.330] INFO: 1835235: Server Module 0x000002B1 Read
2203100928 NMAS: [2013/12/16 17:47:09.330] INFO: 1835235: Client Module 0x000002B1 Get attribute AID: 7
2203100928 NMAS: [2013/12/16 17:47:09.330] INFO: 1835235: Client Module 0x000002B1 Get attribute AID: 6
2203100928 NMAS: [2013/12/16 17:47:09.330] INFO: 1835235: Begin Client Module 0x000002B1
2203100928 NMAS: [2013/12/16 17:47:09.330] INFO: 1835235: Client Module 0x000002B1 Read
2203100928 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: Client Module 0x000002B1 Write
2203100928 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: Client Module 0x000002B1 Write
2203100928 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: Client Module 0x000002B1 Read
2189272832 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: Server Module 0x000002B1 Read
2189272832 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: Server Module 0x000002B1 Write 
2189272832 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: Server Module 0x000002B1 Write 
2189272832 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: Server Module 0x000002B1 Successful
2189272832 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: NMAS Audit with Audit PA not installed
2189272832 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: NMAS Audit with XDAS not installed
2203100928 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: Client Module 0x000002B1 Read
2203100928 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: Client Module 0x000002B1 Finished
2203100928 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: NMAS Audit with Audit PA not installed
2203100928 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: NMAS Audit with XDAS not installed
2189272832 NMAS: [2013/12/16 17:47:09.331] INFO: 1835235: WhatNext
2189272832 NMAS: [2013/12/16 17:47:09.332] INFO: 1835235: sasUpdateLoginTimeInterval is not set (or) invalid. Setting to global value = 0 mins
2189272832 NMAS: [2013/12/16 17:47:09.332] INFO: 1835235: UpdateLoginTimeInterval for object = 0 mins
2189272832 NMAS: [2013/12/16 17:47:09.337] INFO: 1835235: Successful login
2203100928 NMAS: [2013/12/16 17:47:09.337] INFO: 1835235: NMAS Audit with Audit PA not installed
2203100928 NMAS: [2013/12/16 17:47:09.337] INFO: 1835235: NMAS Audit with XDAS not installed
2189272832 NMAS: [2013/12/16 17:47:09.337] INFO: 1835235: Acknowledge
2189272832 NMAS: [2013/12/16 17:47:09.337] INFO: 1835235: NMAS Audit with Audit PA not installed
2189272832 NMAS: [2013/12/16 17:47:09.337] INFO: 1835235: NMAS Audit with XDAS not installed
2189272832 NMAS: [2013/12/16 17:47:09.337] INFO: 1835235: Server thread exited
2189272832 NMAS: [2013/12/16 17:47:09.337] INFO: 1835235: Pool thread 0x4f96e70 work complete
2203100928 NMAS: [2013/12/16 17:47:09.338] INFO: 1835235: NMAS Audit with Audit PA not installed
2203100928 NMAS: [2013/12/16 17:47:09.338] INFO: 1835235: NMAS Audit with XDAS not installed
2203100928 NMAS: [2013/12/16 17:47:09.338] INFO: 1835235: SASL connection identity set successfully
2203100928 AUTH: [2013/12/16 17:47:09.340] DEBUG: 1 DSAFinishAuthentication.
2203100928 AUTH: [2013/12/16 17:47:09.340] DEBUG: 2 DSAFinishAuthentication.
2203100928 AUTH: [2013/12/16 17:47:09.340] DEBUG: 3 DSAFinishAuthentication.
2203100928 AUTH: [2013/12/16 17:47:09.340] DEBUG: [0000af3e] <.CITRIX-LICENSE.Computers.NOVELL.NOVELL_TREE.> Authenticated. Error success, conn: 21.
2203100928 AUTH: [2013/12/16 17:47:09.340] DEBUG: 4 DSAFinishAuthentication.

After the authentication, look for a DoModiy on connection.
In this case the LDAP trace shows the CITRIX-LICENSE-SERVER is attempting to modify three attribute and is failing with an error -672, no access.

2197837568 LDAP: [2013/12/16 17:47:09.411] INFO: (/var/opt/novell/xad/run/ldapi pid=18130 uid=0 gid=0)(0x0007:0x63) Sending operation result 0:"":"" to connection 0x5756cb0
2227463936 LDAP: [2013/12/16 17:47:09.411] DEBUG: (/var/opt/novell/xad/run/ldapi pid=18130 uid=0 gid=0)(0x0008:0x66) DoModify on connection 0x5756cb0
2227463936 LDAP: [2013/12/16 17:47:09.411] DEBUG: (/var/opt/novell/xad/run/ldapi pid=18130 uid=0 gid=0)(0x0008:0x66) modify: dn (cn=CITRIX-LICENSE-SERVER,cn=Computers,dc=dsfw,dc=lan)
2227463936 LDAP: [2013/12/16 17:47:09.412] DEBUG: (/var/opt/novell/xad/run/ldapi pid=18130 uid=0 gid=0)(0x0008:0x66) modifications:
2227463936 LDAP: [2013/12/16 17:47:09.412] DEBUG: (/var/opt/novell/xad/run/ldapi pid=18130 uid=0 gid=0)(0x0008:0x66) replace: operatingSystem
2227463936 LDAP: [2013/12/16 17:47:09.412] DEBUG: (/var/opt/novell/xad/run/ldapi pid=18130 uid=0 gid=0)(0x0008:0x66) replace: operatingSystemVersion
2227463936 LDAP: [2013/12/16 17:47:09.412] DEBUG: (/var/opt/novell/xad/run/ldapi pid=18130 uid=0 gid=0)(0x0008:0x66) replace: operatingSystemServicePack
2227463936 LDAP: [2013/12/16 17:47:09.413] INFO: (/var/opt/novell/xad/run/ldapi pid=18130 uid=0 gid=0)(0x0008:0x66) DDCModifyEntry failed, err = no access (-672)
2227463936 LDAP: [2013/12/16 17:47:09.413] INFO: (/var/opt/novell/xad/run/ldapi pid=18130 uid=0 gid=0)(0x0008:0x66) Sending operation result 50:"":"NDS error: no access (-672)" to connection 0x5756cb0
2196784896 LDAP: [2013/12/16 17:47:09.414] DEBUG: (/var/opt/novell/xad/run/ldapi pid=18130 uid=0 gid=0)(0x0009:0x42) DoUnbind on connection 0x5756cb0


This is a result of the changes with the November 2013 Maintenance Patch populating the operatingSystem, operatingSystemVersion, and operatingSystemServicePack attributes.  The errors shown in trace and the /var/log/messages will be seen for computer objects created before the November 2013 Maintenance Patch was applied.  Prior to the November 2013 Maintenance Patch this functionality did not exist.  ACLs were not granted for computer objects to modify these three attributes.

Newly created computer objects will receive the necessary rights to modify these attributes.

For computer objects created prior to applying the November 2013 Maintenance Patch these rights do not exist. Removing and rejoining to the domain will not resolve the issue for the older computer objects.  Either the computer objects need rights to modify these attributes or the computer needs to be removed from the domain, the computer object deleted, and then re-joined.  
A warning, if the computer object is deleted, the new computer object will receive a new objectsid and users profiles will not function unless the objectsid is restored.
A script is available to update all existing computer objects with the proper rights to modify these attributes so that computer objects do not need to be modified by hand or deleted.
See TID 7013205 for more information.

Additional Information

Download the update_computer_acls script from dsfwdude.com
or create a script to update existing workstation objects ACLs
Script Name: update_computer_acls.pl
Copy the contents below into the file named update_computer_acls.pl, then make the script executable (chmod +x update_computer_acls.pl), and run the script.

#!/usr/bin/perl

use warnings;
use strict;

my $debug = 0;
my $domain_nc = `/opt/novell/xad/share/dcinit/printConfigKey.pl 'Domain NC'`;
chomp($domain_nc);

my @ldap_output=`LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -Q -Y EXTERNAL -s sub -b $domain_nc 'objectclass=msds:computer' dn -LLL -o ldif-wrap=no`;

if ($? != 0) {
my $err = $? >> 8;
chomp(@ldap_output);
print "Failed to search the computer objects : $err : [@ldap_output]\n";
exit -1;
}

chomp(@ldap_output);

my @all_computers = grep (!/ou=domain controllers,/ig, @ldap_output);
@all_computers = grep (/^dn:/ig, @all_computers);

my $ldif_file = "/var/opt/novell/xad/ds/domain/update_computer_acls.ldif";
open LDIFFILE,">$ldif_file" 
 or die('Could not open the ldif file \n');

foreach my $computer (@all_computers) {
print "Updating acls on computer [$computer]\n" if ($debug);

my $computer_cn = $computer;
$computer_cn =~ s/^dn: //i;

print LDIFFILE "$computer\n";
print LDIFFILE "changeType: modify\n";
print LDIFFILE "add: ACL\n";
print LDIFFILE "ACL: 6#entry#$computer_cn#operatingSystem\n";
print LDIFFILE "ACL: 6#entry#$computer_cn#operatingSystemVersion\n";
print LDIFFILE "ACL: 6#entry#$computer_cn#operatingSystemServicePack\n\n";
}
close LDIFFILE;


print "Updating the ACLs on the computer objects \n" if ($debug);

my @output = `LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapmodify -Q -c\\
-Y EXTERNAL -f $ldif_file 2>&1`;
my $err = $? >> 8;
if ($? != 0 and $err != 20) {
chomp (@output);
print "Failed to update ACLs on computer object : $err: [@output]\n";
exit -1;
}
else {
print "Successfully updated the ACLs on the computer objects \n";
}