DSfW: Unable to map drive to Member server Error -1311

  • 7015630
  • 05-Sep-2014
  • 05-Sep-2014

Environment

Novell Open Enterprise Server 11 Support Pack 2 (OES11SP2)
Novell Open Enterprise Server 11 Support Pack 1 (OES11SP1)
Domain Services for Windows
DSfW

Situation

Unable to map drive to Member server
Users can not access Windows Member server
Login script fails to map drive Error: 1311

Resolution

1) Verify that the user is authenticating by tailing or searching the /var/opt/novell/xad/log/kdc.log and looking for the user in question.  A simple command to search the log is:
grep -i username /var/opt/novell/xad/log/kdc.log
If the user sucessfully authenticates you should see something like this:
Sep 04 16:14:36 dsfw1 krb5kdc[30813](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 151.155.212.75: ISSUE: authtime 1409868876, etypes {rep=23 tkt=23 ses=23}, administrator@DSFW.LAN for krbtgt/DSFW.LAN@DSFW.LAN

The ISSUE: authtime means the user in question succesffuly authenticated to the domain.  If there are multiple DSfW servers, check each server.  The authentication could be to any one of the DSfW server.
If user fails to login the kdc.log will report something like this:
Sep 05 11:35:42 dsfw1 krb5kdc[30813](info): preauth (timestamp) verify failure: Decrypt integrity check failed
Sep 05 11:35:45 dsfw1 krb5kdc[30813](info): AS_REQ (1 etypes {23}) 151.155.212.75: PREAUTH_FAILED: administrator@DSFW.LAN for krbtgt/DSFW.LAN@DSFW.LAN, Preauthentication failed

If the user fails to authenticate, follow TID 7010842.  In this example the Decypt integrity check failed error means a bad password was entered.
There are three failed login contitions to check for
  1. Decrypt integrity check - bad password
  2. locked out - account locked
  3. client not found - account is not found in the domain
Here are commands to neatly sort and report the number of errors for each account for each condition
  1.  Decrypt integrity check:
    grep -A1 -i 'Decrypt integrity check failed' /var/opt/novell/xad/log/kdc.log |grep -v 'Decrypt integrity check failed' |awk -F ')' '{print $3}' |grep -v '^$' |awk -F 'for' '{print $1}' |sort -n | uniq -c | sort -n | sed -e s/PREAUTH_FAILED:/BAD_PASSWORD:/g
  2. Locked out:
    grep -i 'locked out' /var/opt/novell/xad/log/kdc.log |cut -d ')' -f3 |awk -F 'for' '{print $1}' |sort -n | uniq -c |sort -n
  3. Client not found:
    grep -i 'client not found' /var/opt/novell/xad/log/kdc.log |cut -d ')' -f3 |awk -F 'for' '{print $1}' |sort -n | uniq -c |sort -n
2) Verify the workstation is authenticating to the domain.
This will be similar to the user except searching for the workstation name.  In the kdc.log a workstation will always have a $ after the name and before the domain name.
Run the command to check for each condition.  Usually the workstations password is incorrect and then it is locked out.

Example of running the Decrypt integrity check search:
5  151.155.212.75: BAD_PASSWORD: workstation1$@DSFW.LAN

To resolve this rejoin the workstation to the domain.
If the workstation is not located in the cn=computers container be sure to assign the cn=Default Domain,cn=Password Policies,cn=System,<yourdomain or container> to the container container where the workstation's object is located.  See TID 7005568 for more information.

3) Verify the member server is authenticating to the domain
This will be similar to the user and workstation except searching for the member servers name.  In the kdc.log a member server will always have a $ after the name just like the workstation.
Run the command to check for each condition.  Usually the member servers password is incorrect and then it is locked out.

Example of running the Decrypt integrity check search:
3  151.155.212.74: BAD_PASSWORD: memberserver1$@DSFW.LAN

To resolve this rejoin the member server to the domain.
If the member server is not located in the cn=computers container be sure to assign the cn=Default Domain,cn=Password Policies,cn=System,<yourdomain or container> to the container container where the member server's object is located.  See TID 7005568 for more information.

If the "client not found" returns the workstation or member servers account, rejoining will re-create the account.

Cause

Either the user's account, the user's workstation, or the member server is unable to login.

The user's account, the user's workstation, or the member server has a bad password, locked account, or the account does not exit because the object was deleted.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.