OES NSS AD Support configuration

  • Document ID:7017259
  • Creation Date:16-Feb-2016
  • Modified Date:10-Dec-2018
    • Micro Focus Products:
      Open Enterprise Server

Environment

Novell Open Enterprise Server 2015
Novell Open Enterprise Server 2018

Situation

NSS AD configuration is unable to join the AD domain.
AD users are unable to authenticate to CIFS shares on the OES server.
Error:  "kinit has failed.  Retry with the correct AD configuration details."
Error:  "Preauthentication failed while getting initial credentials"
Error:  "The reverse zone entry verification failed for the domain controller. Ensure that the reverse zone entry exists in the DNS."

Resolution

Documentation Reference:

https://www.novell.com/documentation/open-enterprise-server-2018/stor_nss_ad_lx/data/b1ay16lm.html
https://www.novell.com/documentation/open-enterprise-server-2018/stor_nss_ad_lx/data/b1gx9h6e.html#b1gx9h6e-b1gs4cb0

Verify the following:

  • Timesync, The Windows Server and the OES server MUST have the same time.
  • Using the ping command on the OES server, ping the ip addresses of the AD domain controllers. 
  • Using the ping command on the AD domain controllers, ping the ip address of the OES Server.
  • DNS configuration:
    • OES server needs to have /etc/resolv.conf configured so that the OES server can make lookups to the DNS server containing the AD records.
    • OES server needs to resolve the SRV record for the AD Domain Controller (nslookup -type=srv  _ldap._tcp.dc._msdcs.yourADdomain.com)
    • For each server returned from _ldap._tcp.dc._msdcs.yourADdomain.com, the OES server needs to resolve the DNS name.  Each IP that is returned should resolve back to the correct server name.
    • OES server needs to resolve the AD Domain name (nslookup yourADdomain.com)
    • OES server needs to resolve his own name in the AD domain (nslookup oesserver.yourADdomain.com)
  • If using a .local domain make the following change to /etc/nsswitch.conf
    • Change the line
         "hosts:          files mdns4_minimal [NOTFOUND=return] dns"
       to
         "hosts:          files dns mdns4_minimal [NOTFOUND=return]"
  • The CIFS name should match the OES server name.  View the CIFS name with "novcifs -o".  The name can be changed in iManager -> File Protocols -> CIFS.  If this is changed after joining the domain, it is necessary to leave the domain and rejoin.
  • The NSS AD configuration needs an AD admin with the following privileges.  When in doubt try the AD administrator.
    • Read user objects
    • Reset Password
    • Create computer objects
    • Delete computer objects
    • Read and write the msDs-supportedEncryptionTypes attribute.
  • AD users must have access rights to the NSS volume in order to access the data.
  • Access from a workstation must be done using the AD Domain DNS name of the OES server (oesserver.yourADdomain.com)
  • If the following has been implemented, the configuration will need to be reversed:

Cause

  • Time is out of sync.
  • OES server and Ad domain controller are not in the same domain. example.com , example.info.
  • OES server is not properly configured in DNS server settings
    • Reverse lookup
    • Forward lookup
  • Not using a Domain Admin account for NSS AD configuration

Additional Information

Once the NSS AD authentication completes and the OES server joins the domain, the OES server name will be displayed in AD in the selected container.   On the OES server server, run "klist -l" to display the cached kerberos tickets.

Note: Computers is the default location for the server name to be saved.