DSfW: Trust breaks between AD domain and DSfW domain every 30 days.

  • Document ID:7015252
  • Creation Date:20-Jun-2014
  • Modified Date:20-Jun-2014
    • Micro Focus Products:
      eDirectory
      Open Enterprise Server
    • SUSE Products:
      SUSE Linux Enterprise Server

Environment

Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW

Situation

Trust breaks between AD domain and DSfW domain every 30 days. 

Every 30 days the trust is broken between AD and DSfW domain due to password expiry of AD domain DC. 

The trust must be re-created or the password reset every time the trust breaks.

Cause

To set the password the requester must have supervisor rights, but for the trusted account or machine account should be set password without supervisor rights.  The problem is the password requester is checking for supervisor rights.


Apr 22 08:32:41 dsfwserver1 xadsd: [NETLOGON] Setting account password for object
<cn=AD$,cn=Users,dc=novell,dc=com>
Apr 22 08:32:41 dsfwserver1 xadsd: [NETLOGON] Setting account password failed:
Access Denied
Apr 22 08:32:41 dsfwserver1 xadsd: [NETLOGON] Domain controller DSfWSERVER1 failed
to authenticate: 0xc0000022
Apr 22 08:32:41 dsfwserver1 xadsd: [NETLOGON] Domain controller DSfWSERVER1 failed
to authenticate: 0xc0000022
Apr 22 08:32:42 dsfwserver1 xadsd: [NETLOGON] ressourceniu.debeka.de. opened
secure channel
Apr 22 08:32:42 dsfwserver1 xadsd: [SECURITY] Impersonated user DSfWSERVER1$@NOVELL
Apr 22 08:32:43 dsfwserver1 xadsd: [NETLOGON] Setting account password for object
<cn=AD$,cn=Users,dc=novell,dc=com>
Apr 22 08:32:43 dsfwserver1 xadsd: [NETLOGON] Setting account password failed:
Access Denied


Status

Reported to Engineering