Kerberos authentication fails against SLED 11.4 or 11.3 satellite

  • Document ID:7018808
  • Creation Date:17-Apr-2017
  • Modified Date:17-Mar-2020
    • Micro Focus Products:
      ZENworks Configuration Management

Environment

Novell ZENworks Configuration Management 2017

Situation

With Kerberos authentication, SLED satellite fails to authenticate users.

ERROR (from ats.log):

[WARN] [04/14/2017 14:48:49.511] [4842] [ATS] [143] [root] [CASAServer] [] [(ClientAddr=192.168.0.8)Krb5Token Constructor()- GSS Exception caught: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)] [authtoksvc.Krb5Authenticate$Krb5Token] [] [] [CASA]
[WARN] [04/14/2017 14:48:49.512] [4842] [ATS] [143] [root] [CASAServer] [] [(ClientAddr=192.168.0.8)invoke()- Exception: java.lang.Exception: Authentication Failure] [authtoksvc.Krb5Authenticate] [] [] [CASA]



Resolution

This is fixed in ZENworks 2017 Update 1 and later.

Workaround for prior versions:

  1. On the authentication satellite make a backup of this file:
    /etc/CASA/authtoken/svc/casa-jaas.conf 
  2. Edit the above file manually replace this:
    keyTab="KEYTAB_FILE"
    with this
    keyTab="/etc/CASA/authtoken/svc/kerberos.keytab"   
  3. Restart the ZENworks Agent Service on the satellite:
    /etc/init.d/novell-zenworks-xplatzmd restart

Status

Reported to Engineering