Environment
Open Enterprise Server 11 (OES 11) Linux
Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Open Enterprise Server 2015 (OES 2015) Linux
Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1
Open Enterprise Server 2018 (OES 2018) Linux
Open Enterprise Server 2018 (OES 2018) Linux Support Pack 1Situation
After adding the first server running eDirectory 9.x to the tree having a replica of the root or security partition.
CIFS/AFP authentication fails if CIFS/AFP services are hosted on non eDirectory 9.x servers, such as Open Enterprise Server 2015 (OES 2015)
CIFS/AFP authentication fails if CIFS/AFP services are hosted on non eDirectory 9.x servers, such as Open Enterprise Server 2015 (OES 2015)
The Domain Services for Windows krb5kdc process fails to start on Open Enterprise Server 2018 (OES 2018) Linux (SP1) servers.
Resolution
To prevent the issue the cn=w0.cn=kap.cn=Security object should be renamed to cn=W0.cn=kap.cn=Security prior to the addition of the first eDirectory 9.x server having a replica of the root or security partition to the tree.
Renaming the object after the first eDirectory 9.x server having a replica of the root or security partition has been added to the tree, does not resolve the issue.
In this case Micro Focus Technical Support should be contacted for further guidance.
CIFS/AFP related authentication issues can be resolved by removing the replica's containing the affected user objects from the servers running eDirectory 8.8.x.
OES2018SP1 Update 3 Patch does contain the fix for the NICI casing issue as well.
Support for AES256-Bit SDI Tree keys has been added to OES2018SP2.
Make sure all the servers in the tree are running OES 2018 SP2 before creating an AES 256-bit key
Cause
The W0 object which resides in the security container is lower case (w0) instead of upper case (W0), this leads to an AES 256 bit tree key automatically being generated.
Additional Information
The /var/opt//novell/xad/logs/kdc.log contains the following, when the Domain Services for Windows is affected by the issue:
krb5kdc: Invalid credentials - while initializing database for realm NNMFRDFCS18SP1.COM
krb5kdc: Invalid credentials - while initializing database for realm NNMFRDFCS18SP1.COM
ndstrace +NMAS +LDAP shows:
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: Selected requested login sequence == "IPCExternal"
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: Login Method 0x000002B1
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: Begin Server Module 0x000002B1
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: Server Module 0x000002B1 Write
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: ERROR: -1634 Server Module 0x000002B1 End
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: NMAS Audit with Audit PA not installed
1015793408 NMAS: [2018/09/07 12:48:51.714] 262399: Client Module 0x000002B1 Get attribute AID: 7
1015793408 NMAS: [2018/09/07 12:48:51.714] 262399: Client Module 0x000002B1 Get attribute AID: 6
1015793408 NMAS: [2018/09/07 12:48:51.714] 262399: Begin Client Module 0x000002B1
1015793408 NMAS: [2018/09/07 12:48:51.714] 262399: Client Module 0x000002B1 Read
1015793408 NMAS: [2018/09/07 12:48:51.714] 262399: ERROR: -1634 Client Module 0x000002B1 End
The /var/log/cifs/cifs.log shows the following:
Aug 22 17:50:32 blr8-118-36 CIFS[5453]: ERROR: CODIR: SESLoggingIn: User: etuser1 not found, client: 164.99.168.41, nwErr: -601, cifsErr: 0
Aug 22 17:52:28 blr8-118-36 CIFS[5453]: WARNING: AUTH: Authentication failed for user . NMAS has returned Error:-1642
krb5kdc: Invalid credentials - while initializing database for realm NNMFRDFCS18SP1.COM
krb5kdc: Invalid credentials - while initializing database for realm NNMFRDFCS18SP1.COM
ndstrace +NMAS +LDAP shows:
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: Selected requested login sequence == "IPCExternal"
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: Login Method 0x000002B1
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: Begin Server Module 0x000002B1
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: Server Module 0x000002B1 Write
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: ERROR: -1634 Server Module 0x000002B1 End
999823104 NMAS: [2018/09/07 12:48:51.713] 262399: NMAS Audit with Audit PA not installed
1015793408 NMAS: [2018/09/07 12:48:51.714] 262399: Client Module 0x000002B1 Get attribute AID: 7
1015793408 NMAS: [2018/09/07 12:48:51.714] 262399: Client Module 0x000002B1 Get attribute AID: 6
1015793408 NMAS: [2018/09/07 12:48:51.714] 262399: Begin Client Module 0x000002B1
1015793408 NMAS: [2018/09/07 12:48:51.714] 262399: Client Module 0x000002B1 Read
1015793408 NMAS: [2018/09/07 12:48:51.714] 262399: ERROR: -1634 Client Module 0x000002B1 End
The /var/log/cifs/cifs.log shows the following:
Aug 22 17:50:32 blr8-118-36 CIFS[5453]: ERROR: CODIR: SESLoggingIn: User: etuser1 not found, client: 164.99.168.41, nwErr: -601, cifsErr: 0
Aug 22 17:52:28 blr8-118-36 CIFS[5453]: WARNING: AUTH: Authentication failed for user . NMAS has returned Error:-1642