DSfW: kerberos fails to start

  • Document ID:7012896
  • Creation Date:17-Jul-2013
  • Modified Date:17-Jul-2013
    • Micro Focus Products:
      eDirectory
      Open Enterprise Server
    • SUSE Products:
      SUSE Linux Enterprise Server

Environment

Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSfW
eDirectory

Situation

Installing DSfW and the restart services task fails.
Restart Script to be run is /opt/novell/xad/share/dcinit/provision/provision_restart_dsfw.pl fails in kerberos
Service xad-krb5kdc started with code 256

NMAS trace shows 
3932870400 NMAS: [2013/07/17 13:52:48.807] 262301: Create NMAS Session
3932870400 NMAS: [2013/07/17 13:52:48.807] 262301: SASL IPC_EXTERNAL started
3932870400 NMAS: [2013/07/17 13:52:48.808] 262301: Found login sequence IPCExternal for proxy client
3932870400 NMAS: [2013/07/17 13:52:48.808] 262301: NMAS Audit with Audit PA not installed
3932870400 NMAS: [2013/07/17 13:52:48.808] 262301: NMAS Audit with XDAS not installed
3932870400 NMAS: [2013/07/17 13:52:48.808] 262301: NMAS Client supplied user DN CN=DSFW.OU=Domain Controllers.O=NOVELL
3932870400 NMAS: [2013/07/17 13:52:48.809] Attempting to create key
3932870400 NMAS: [2013/07/17 13:52:48.809] ERROR: -1460 createXKey: DAL_getPartitionKey
3932870400 NMAS: [2013/07/17 13:52:48.809] ERROR: -1460 Failed to get encryption key for CN=DSFW.OU=Domain Controllers.O=NOVELL
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: NMAS Login not supported for user CN=DSFW.OU=Domain Controllers.O=NOVELL
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: ERROR: -1697 Failed to resolve specified user
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: ERROR: -1697 SASL_DoMechanism: NMAS_CanDo
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: NMAS Audit with Audit PA not installed
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: NMAS Audit with XDAS not installed
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: Client Session Destroy Request
3932870400 NMAS: [2013/07/17 13:52:48.809] 262301: Destroy NMAS Session

Resolution

Take a ldap and nmas trace while attempting to start kerberos from the command line
See KB 7009602 for taking ldap and nmas traces

In this situation the trace showed -1460 and -1697 errors.  This means the NICI is not synchronized to all servers in the tree
Start with KB 3192240 "SDIDiag General Information" for a list of TIDs to help resolve this issue.
Follow KB 3455150 "Using SDIDiag to gather specific SDKey information from servers" to gather tree information 
and KB 3840110 "Using SDIDiag Switches and Options"
Specifically look to the option to resync tree keys
SDIDIAG> RD -T -n .orgUnit.org.tree_name. SS [-A] [-V] [-R] [-S serverDN] [-I file] [-N containerDN] Synchronize all keys on the specified -S serverDN, severs in listed in the -I file, or server hosting a writeable replica of the -N containerDN with the Security Domain Servers. The -R switch may optionally be given to revoke all the existing keys on the server before synchronizing with the Security Domain Servers.