DSfW: Kerberos fails to start in provisioning wizard

  • 7013234
  • 09-Sep-2013
  • 09-Sep-2013

Environment

Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSfW

Situation

Kerberos fails to start
xad-krb5kdc fails to start
xadsd fails to start

Resolution

Take a NMAS trace while starting xad-krb5kdc and look for errors.  In this case we saw 

Login Sequence IPCExternal not authorized for CN=DSFW1.OU=Domain Controllers.O=Novell
3778828032 NMAS: [2013/09/09 11:16:06.719] 262212: ERROR: -1680 User not authorized for requested login sequence "IPCExternal"
3778828032 NMAS: [2013/09/09 11:16:06.719] 262212: ERROR: -1680 CanDo
3778828032 NMAS: [2013/09/09 11:16:06.719] 262212: Password Failure Time Attribute value count: 100
3778828032 NMAS: [2013/09/09 11:16:06.720] 262212: Password Failure Time Attribute Value Count (100) exceeded Limit (100)
3778828032 NMAS: [2013/09/09 11:16:06.720] 262212: Removing Password Failure Time Attribute Value 1378245140
3778828032 NMAS: [2013/09/09 11:16:06.722] 262212: Failed login delay 3 seconds
3778828032 NMAS: [2013/09/09 11:16:09.722] 262212: Failed login
3801368320 NMAS: [2013/09/09 11:16:09.722] 262212: ERROR: -1680 SASL_DoMechanism: NMAS_CanDo
3801368320 NMAS: [2013/09/09 11:16:09.722] 262212: NMAS Audit with Audit PA not installed
3801368320 NMAS: [2013/09/09 11:16:09.722] 262212: NMAS Audit with XDAS not installed
3801368320 NMAS: [2013/09/09 11:16:09.722] 262212: Client Session Destroy Request
3801368320 LDAP: [2013/09/09 11:16:09.722] Environment variable is set to not put NMAS NetworkAddress: 
3801368320 LDAP: [2013/09/09 11:16:09.722] Failed to authenticate full context on connection 0xdb53500, err = -1680 (0xfffffffffffff970)

Looking at the Login Policy, located under the security container by default, the following Login Sequences were either missing or not installed.

IPCExternal, Negotiate, Kerberos, GSSAPI, DigestMD5, and ChllengeResponse were either deactivated or missing.  Re-installing the methods should create the sequences.

To install or re-install a method use nmasinst with the following syntax
/opt/novell/eDirectory/bin/nmasinst -addmethod 'user.context' 'TREE' /opt/novell/xad/share/nmasmthd/IPCExternal/config.txt -h ip-adder

example:
/opt/novell/eDirectory/bin/nmasinst -addmethod 'cn=admin.o=novell' 'NOVELL-TREE' /opt/novell/xad/share/nmasmthd/IPCExternal/config.txt -h 192.168.0.52

Reboot the server when finished and check that the sequences are active.

Cause

Key NMAS Sequences used by DSfW were disabled, namely IPCExternal, Negotiate, Kerberos, GSSAPI, DigestMD5, and ChllengeResponse

Additional Information

A list of methods to re-install
user is admin.novell
tree name is NOVELL-TREE
eDirectory server is 192.168.0.52

/opt/novell/eDirectory/bin/nmasinst -addmethod 'cn=admin.o=novell' 'NOVELL-TREE' /opt/novell/nmas/nmasmthd/CertMutual/config.txt -h 192.168.0.52
/opt/novell/eDirectory/bin/nmasinst -addmethod 'cn=admin.o=novell' 'NOVELL-TREE' /opt/novell/nmas/nmasmthd/ChallengeResponse/config.txt -h 192.168.0.52
/opt/novell/eDirectory/bin/nmasinst -addmethod 'cn=admin.o=novell' 'NOVELL-TREE' /opt/novell/nmas/nmasmthd/DigestMD5/config.txt -h 192.168.0.52
/opt/novell/eDirectory/bin/nmasinst -addmethod 'cn=admin.o=novell' 'NOVELL-TREE' /opt/novell/nmas/nmasmthd/NDS/config.txt -h 192.168.0.52
/opt/novell/eDirectory/bin/nmasinst -addmethod 'cn=admin.o=novell' 'NOVELL-TREE' /opt/novell/nmas/nmasmthd/SimplePassword/config.txt -h 192.168.0.52
/opt/novell/eDirectory/bin/nmasinst -addmethod 'cn=admin.o=novell' 'NOVELL-TREE' /opt/novell/nmas/nmasmthd/GSSAPI/config.txt -h 192.168.0.52
/opt/novell/eDirectory/bin/nmasinst -addmethod 'cn=admin.o=novell' 'NOVELL-TREE' /opt/novell/xad/share/nmasmthd/IPCExternal/config.txt -h 192.168.0.52
/opt/novell/eDirectory/bin/nmasinst -addmethod 'cn=admin.o=novell' 'NOVELL-TREE' /opt/novell//xad/share/nmasmthd/Kerberos/config.txt -h 192.168.0.52
/opt/novell/eDirectory/bin/nmasinst -addmethod 'cn=admin.o=novell' 'NOVELL-TREE' /opt/novell/xad/share/nmasmthd/Negotiate/config.txt -h 192.168.0.52