Troubleshooting Application Authentication to DSfW
This document (7009603) is provided subject to the disclaimer at the end of this document.
Open Enterprise Server 11 (OES11)
Generally the kdc.log, messages log, ndstrace, and packet trace have the most information, but sometimes a debug of samba is also needed.
The Packet Trace
Turn off secure channel encryption:
Before taking the packet trace turn of the secure channel encryption
The LDAP/NMAS Trace
To take the ldap trace first check the screen options, make sure the level is set to all
ldapconfig get |grep -i "ldap screen level"
Example of setting the screen level to all:
ldapconfig -s "ldap screen level=all" -a admin.novell
Then start the ndstrace
|ndstrace||# brings up the ndstrace utility|
|set dstrace = nodebug||# Clear the filter|
|dstrace NMAS LDAP TIME TAGS AUTH||# Enable the LDAP, NMAS, TIME, TAGS, and AUTH|
|set ndstrace = *r||# Clear the log or rename the /var/opt/novell/eDirectory/log/ndstrace.log|
|ndstrace = on||# Start the logging and execute your command or task|
|set ndstrace = off||# This will stop logging|
|quit||# Exit ndstrace|
The default location for the log is /var/opt/novell/eDirectory/log/ndstrace.log
Examining the traces and logs
There are three main protocols to look in the traces:
Start with these three protocols. Depending on the issue other protocols might come into play like smb (Samba) or netbios.
For authentication issues look at kerberos packets in the packet trace and kerberos errors in the kdc.log and /var/log/messages.
Starting with the packet trace by filtering on kerberos.
To filter traffic in the packet trace simple type kerberos in the filter window and click apply.
Look for errors in the details of the AS-REQ, AS-REP and TGS-REQ, TGS-REP (requests and responses) packets.
If there is a kerberos error in the packet trace
1) Check that the principal (user or computer) in the request is valid.
2) Troubleshoot any errors found in the trace.
note: pre-authentication required errors (krb5kdc_error_preauth_required 25) are standard. That error is to notify the sender that pre authentication (pa-enc-timestamp in the padata) is required for added security.
3) Look in the kdc.log for error.
Some common errors seen in the kdc.log are:
Decrypt integrity check failed - bad password
Look at the next line for the user or workstation trying to login with a bad password. Workstations will have a $ at the end of the name and before the @domain name.
AS_REQ 192.168.0.4 PREAUTH_FAILED: <firstname.lastname@example.org> for krbtgt/dsfw.lan Preauthentication failed
Can cause slow logins, cause the domain controller to become unresponsive, or even crash the domain controller. Implement an intruder lock out on the container where the user(s) or workstation(s) objects reside.
locked out - account has been locked out
If this is for a workstation account this error message usually means their is a workstation with the same name trying to login. The workstation with the duplicate name will attempt to login several time, triggering the intruder lockout and thus generating the Decrypt integrity check error.
If this is a user, the user account is locked usually do to intruder lockout.
client not found - account is not found in domain
Similar to a 601 in eDirectory. Look at the ndstrace to see if the search request is valid. Check that the account exists in the domain and is samified. This error can cause slow logins as well.
Sometimes taking a ndstrace with +time +tags +auth +ldap +vcln +dbg will help as well.
For password errors look at the ndstrace with ldap and nmas enabled in the filter. Look for any NMAS errors.
Next filter on ldap in the packet trace.
For directory resolution of a user or computer object look at LDAP traffic in the packet trace and ndstrace.
See if the request is received and responding to the application properly. There might be an error resolving an object or an attribute is requested in the search which doesn't exist or has the wrong value on the object.
For the ndstrace start usually the standard filters for a ldap/nmas trace are all that is needed. These filters are TIME, TAGS, AUTH, LDAP and NMAS.
Depending on the issue other filters might be enabled. RECM, RSLV, and VCLN are often useful.
Some times Agent Buffers (ABUF), Debug (DBG), and Miscellaneous (MISC) will also need to be enabled. Beware ABUF, DBG, and MISC can greatly increase information that is returned and make it difficult find errors.
NMAS should be enabled for authentication or password issues and always.
Always enable TIME and TAGS.
If the ldap traffic is minimal or non existant it might be the the ldap screen level on the ldap server object was not set. It should be set to ALL or "Operation| Connection| Config| Extensions| Error| Critical| DataConnection" at a minimum.
For more information on using ndstrace look at TID 7009602
The /var/opt/novell/log/named/named.run and /var/log/messages generally provides more information on DNS resolution as well.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7009603
- Creation Date:19-OCT-11
- Modified Date:22-JAN-13
- NovellOpen Enterprise Server
Did this document solve your problem? Provide Feedback