Kerberos fails to start with NMAS error -1680

  • 7010722
  • 31-Aug-2012
  • 31-Aug-2012

Environment

Novell Open Enterprise Server 2 SP2 (OES2 SP2)
Novell Open Enterprise Server 2 SP3 (OES2 SP3)
Novell Open Enterprise Server 11 (OES 11)
Novell Open Enterprise Server 11 SP1 (OES 11 SP1)
Domain Services for Windows
DSfW

Situation

xad-krb5kdc (Kerberos) fails to start
"Waiting for LDAP server to be ready ..." when starting kerberos

ldap a ndstrace with time, tags, ldap, and nmas enabled.
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Login Sequence IPCExternal not authorized for CN=DSFWServer.OU=Domain Controllers.O=novell
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: ERROR: -1680 User not authorized for requested login sequence "IPCExternal"
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: ERROR: -1680 CanDo
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Password Failure Time Attribute value count: 100
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Password Failure Time Attribute Value Count (100) exceeded Limit (100)
1451190016 NMAS: [2012/08/24 13:25:29.686] 262318: Removing Password Failure Time Attribute Value 1345828667

Resolution

The NMAS error 1680 means the login sequence being called is not authorized.

Log into iManager
In the roles and task section click on NMAS
Click on NMAS Login Sequences
Verify that IPCExternal is authorized, if not check the box beside the login sequence and click Authorize

Next modify the domain mapped container.
Click on the NMAS tab
Click on the Login Sequences sub tab
Verify that IPCExternal is authorized, if not check the box beside the login sequence and click Authorize

Do the same for the Domain Controllers container and OESSystemObjects container.

Other sequences that should be authorized are GSSAPI, Kerberos, and NDS

Cause

The IPCExternal login sequence was not authorized

Additional Information

For instructions on taking a ndstrace follow TID 7009602

Key points in the TID
Make sure the screen level is set to "Operation| Connection| Config| Extensions| Error| Critical| DataConnection" or to "all"

Example:
ldapconfig -s "ldap screen level= Operation| Connection| Config| Extensions| Error| Critical| DataConnection"

Start the trace
ndstrace # brings up the ndstrace utility

set dstrace = nodebug # Clear the filter

dstrace NMAS LDAP TIME TAGS AUTH #Enable the LDAP, NMAS, TIME, TAGS, and AUTH. 

set ndstrace = *r # Clear the log or rename the /var/opt/novell/eDirectory/log/ndstrace.log

ndstrace = on # Start the logging and execute your command or task

set ndstrace = off # This will stop logging after starting kerberos (rcxad-krb5kdc)

quit # Exit ndstrace

The default location for the trace file is /var/opt/novell/eDirectory/log/ndstrace.log