Environment
Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1
Domain Services for Windows
DSfW
Domain Services for Windows
DSfW
Situation
OES servers have been updated with May 2017 OES 2015 SP1 Hot Patch for DSfW 11148.
Domain Services for Windows server are upgraded to support AD 2012 level for both domain and forest using the domainUpgrade.pl script.
The domain and forest upgrade have been done successfully without any errors in the /var/opt/novell/xad/log/domainupgrade.log.
After the upgrade the following issues are seen
1) Desktops can not be joined to the domain,
2) The User login fails
3) The GPOs are not applied to the computers and the users
4) gpupdate also fails.
Domain Services for Windows server are upgraded to support AD 2012 level for both domain and forest using the domainUpgrade.pl script.
The domain and forest upgrade have been done successfully without any errors in the /var/opt/novell/xad/log/domainupgrade.log.
After the upgrade the following issues are seen
1) Desktops can not be joined to the domain,
2) The User login fails
3) The GPOs are not applied to the computers and the users
4) gpupdate also fails.
Resolution
1) Check if the supplementalcredentials attribute value has been updated
with the new AES encryption method by running the following command. The
command should return output equal to or more than 28 lines,
#export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
#ldapsearch -Y EXTERNAL -LLL -Q -b cn=krbtgt,cn=users,dc=rdm,dc=novell,dc=com -s base supplementalcredentials
If the value is less than 20 lines continue with the next step.
2) Check the password restrictions configured in the password policies assigned to the user krbtgt and DSfW Domain Controller user accounts. The user krbtgt exists by default in the cn=users container and the Domain Controllers user accounts are created in the container ou=Domain Controllers.
(As you can see the output of supplementalcredentials attribute value, it is more than 100 characters so any restrictions on the number of characters will make the setpassword command fail for krbtgt and DC user accounts)
If there are restrictions on either the length or the number characters for the password please disable them till the password is set for krbtgt.
3) Run the following command to set the password for krbtgt and see if that succeeds,
#/opt/novell/xad/sbin/setpassword -NDOS -r -u krbtgt
4) If the step 3) succeeds , run the commands again from step 1) and confirm that the value of attribute supplementalcredentials is equal or more than 28 lines.
If the above do not help take backup and edit the of the file /etc/opt/novell/xad/krb5.conf and remove the following entries,
aes128-cts and aes128-cts-hmac-sha1-96 from the following lines ,
permitted_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts arcfour-hmac-md5
default_tgs_enctypes = aes128-cts arcfour-hmac-md5
The above 3 lines should like following after the editing ,
permitted_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
After saving the above changes restart the DSfW services (#xadcntrl reload)
#export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
#ldapsearch -Y EXTERNAL -LLL -Q -b cn=krbtgt,cn=users,dc=rdm,dc=novell,dc=com -s base supplementalcredentials
If the value is less than 20 lines continue with the next step.
2) Check the password restrictions configured in the password policies assigned to the user krbtgt and DSfW Domain Controller user accounts. The user krbtgt exists by default in the cn=users container and the Domain Controllers user accounts are created in the container ou=Domain Controllers.
(As you can see the output of supplementalcredentials attribute value, it is more than 100 characters so any restrictions on the number of characters will make the setpassword command fail for krbtgt and DC user accounts)
If there are restrictions on either the length or the number characters for the password please disable them till the password is set for krbtgt.
3) Run the following command to set the password for krbtgt and see if that succeeds,
#/opt/novell/xad/sbin/setpassword -NDOS -r -u krbtgt
4) If the step 3) succeeds , run the commands again from step 1) and confirm that the value of attribute supplementalcredentials is equal or more than 28 lines.
If the above do not help take backup and edit the of the file /etc/opt/novell/xad/krb5.conf and remove the following entries,
aes128-cts and aes128-cts-hmac-sha1-96 from the following lines ,
permitted_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts arcfour-hmac-md5
default_tgs_enctypes = aes128-cts arcfour-hmac-md5
The above 3 lines should like following after the editing ,
permitted_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
After saving the above changes restart the DSfW services (#xadcntrl reload)
Cause
During the domain upgrade of the server using the script /opt/novell/xad/sbin/domainUpgrade.pl the following command may fail to update password of all the DC user accounts or krbtgt accounts with the new encryption method aes128-cts.
The command could be ,
#/opt/novell/xad/sbin/setpassword -NDOS -r -u krbtgt
or
#/opt/novell/xad/sbin/setpassword -NDOS -r -u $server_name\$ -k /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
Here the $server_name is the name of DC user object found in the ou=Domain Controllers container.
The command could be ,
#/opt/novell/xad/sbin/setpassword -NDOS -r -u krbtgt
or
#/opt/novell/xad/sbin/setpassword -NDOS -r -u $server_name\$ -k /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
Here the $server_name is the name of DC user object found in the ou=Domain Controllers container.
Additional Information
Sometimes it might be fixed by running the /opt/novell/xad/sbin/domainUpgrade.pl script again.