ERROR: -1693 SASL_DoMechanism: NMAS_InvokeMechanism

  • 7009590
  • 18-Oct-2011
  • 01-Apr-2014

Environment

Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
eDir 8.8.6
NMAS 3.3.3.4
DSfW

Situation

ERROR: -1693 SASL_DoMechanism: NMAS_InvokeMechanism
xad-krb5kdc fails to start
Password Policy works for some servers, but fails for some servers in the same tree running the same NMAS and eDir versions.
 
NDSTRACE with +NMAS shows the following:
Bind name:NULL, version:3, authentication:EXTERNAL
Create NMAS Session
SASL IPC_EXTERNAL started
SASL Mechanism [IPC_EXTERNAL] not available:
Available SASL Mechanisms:
[NMAS_LOGIN] 
NMAS Audit with Audit PA not installed
NMAS Audit with XDAS not installed
ERROR: -1693 SASL_DoMechanism: NMAS_InvokeMechanism
Client Session Destroy Request
Destroy NMAS Session
Aborted Session Destroyed (with MAF)
Failed to authenticate full context on connection 0x13dbc6f0, err = -1693 (0xfffffffffffff963)
Sending operation result 49:"":"" to connection 0x13dbc6f0
DoUnbind on connection 0x13dbc6f0
Connection 0x13dbc6f0 closed

Resolution

If all servers are failing using the password mechanism, the problem is usually with the method or sequence, or a new password mechanism that needs to be applied for a newer version of NMAS.  If some servers are able to use the password method and sequence while others can not the problem is with a stream file for the nmas method.
For servers with a replica of the security container or with external references, the method is stored on the server as a stream file in the dib directory.  This stream file can be seen using iMonitor.
On the problem server log into iMonitor.  Go to the sasLoginServerMethodLinux64.<method>.authorized Login Methods.security.<treename>.
If the method is not 64bit or not a Linux method the name of the stream file will be different.  The case of the log shown above, the method is IPC_EXTERNAL and the tree is TREE1 so the location of the stream file is:
sasLoginServerMethodLinux64.CN=IPCEXTERNAL.CN=Authorized Login Methods.CN=Security.T=TREE1.

If the size of the sasLoginServerMethodLinux64 stream file is 0 byte then timestamp the stream file using iMonitor on a server where the stream file is valid.

To resolve this issue and get a valid stream file onto the problem server do the following:
On another server with a replica of the Security container
Enable Advanced Options in iMonitor by clicking on the NDS iMonitor link in the upper left hand corner of the initial iMonitor screen.
Click on the stream file.  In this example it would be 
sasLoginServerMethodLinux64.CN=IPCEXTERNAL.CN=Authorized Login Methods.CN=Security.T=TREE1
Click on the Advanced Link on the right hand side
Mark  "timestamp schema entry" radial button
Click OK.

Go to iMonitor on the problem server and verify the stream file is no longer 0 byte.

Additional Information

This issue can also cause kerberos on a DSfW server from starting.  The xadkrb5kdc daemon (OES2SP3) xad-krb5kdc (OES11.x) will appear to start, but when validating the daemon, it has stopped along with xad-kpasswdd daemon.

For more information on how to take a LDAP/NMAS trace see TID 7009602