Novell Home

My Favorites

Close

Please to see your favorites.

DSfW: kerberos fails to start

This document (7012896) is provided subject to the disclaimer at the end of this document.

Environment

Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSfW
eDirectory

Situation

Installing DSfW and the restart services task fails.
Restart Script to be run is /opt/novell/xad/share/dcinit/provision/provision_restart_dsfw.pl fails in kerberos
Service xad-krb5kdc started with code 256

NMAS trace shows 
3932870400 NMAS: [2013/07/17 13:52:48.807] 262301: Create NMAS Session
3932870400 NMAS: [2013/07/17 13:52:48.807] 262301: SASL IPC_EXTERNAL started
3932870400 NMAS: [2013/07/17 13:52:48.808] 262301: Found login sequence IPCExternal for proxy client
3932870400 NMAS: [2013/07/17 13:52:48.808] 262301: NMAS Audit with Audit PA not installed
3932870400 NMAS: [2013/07/17 13:52:48.808] 262301: NMAS Audit with XDAS not installed
3932870400 NMAS: [2013/07/17 13:52:48.808] 262301: NMAS Client supplied user DN CN=DSFW.OU=Domain Controllers.O=NOVELL
3932870400 NMAS: [2013/07/17 13:52:48.809] Attempting to create key
3932870400 NMAS: [2013/07/17 13:52:48.809] ERROR: -1460 createXKey: DAL_getPartitionKey
3932870400 NMAS: [2013/07/17 13:52:48.809] ERROR: -1460 Failed to get encryption key for CN=DSFW.OU=Domain Controllers.O=NOVELL
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: NMAS Login not supported for user CN=DSFW.OU=Domain Controllers.O=NOVELL
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: ERROR: -1697 Failed to resolve specified user
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: ERROR: -1697 SASL_DoMechanism: NMAS_CanDo
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: NMAS Audit with Audit PA not installed
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: NMAS Audit with XDAS not installed
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: Client Session Destroy Request
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: Destroy NMAS Session

Resolution

Take a ldap and nmas trace while attempting to start kerberos from the command line
See TID 7009602 for taking ldap and nmas traces

In this situation the trace showed -1460 and -1697 errors.  This means the NICI is not synchronized to all servers in the tree
Start with TID 3192240 "SDIDiag General Information" for a list of TIDs to help resolve this issue.
Follow TID 3455150 "Using SDIDiag to gather specific SDKey information from servers" to gather tree information 
and TID 3840110 "Using SDIDiag Switches and Options"
Specifically look to the option to resync tree keys
SDIDIAG> RD -T -n .orgUnit.org.tree_name. SS [-A] [-V] [-R] [-S serverDN] [-I file] [-N containerDN] Synchronize all keys on the specified -S serverDN, severs in listed in the -I file, or server hosting a writeable replica of the -N containerDN with the Security Domain Servers. The -R switch may optionally be given to revoke all the existing keys on the server before synchronizing with the Security Domain Servers.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7012896
  • Creation Date:17-JUL-13
  • Modified Date:17-JUL-13
    • NovellOpen Enterprise Server
    • SUSESUSE Linux Enterprise Server
    • NetIQeDirectory

Did this document solve your problem? Provide Feedback