Environment
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSfW
Situation
A DSfW server was upgraded from oes2sp2 to oes2sp3
The /var/opt/novell/xad/kdc.log shows the following when starting kerberos:
Nov 12 08:28:54 theia krb5kdc[5705](info): shutting down
krb5kdc: No such entry in the database - while initializing database for realm DSFW.INT
krb5kdc: No such entry in the database - while initializing database for realm DSFW.INT
krb5kdc: No such entry in the database - while initializing database for realm DSFW.INT
krb5kdc: No such entry in the database - while initializing database for realm DSFW.INT
krb5kdc: No such entry in the database - while initializing database for realm DSFW.INT
krb5kdc: No such entry in the database - while initializing database for realm DSFW.INT
krb5kdc: No such entry in the database - while initializing database for realm DSFW.INT
The /var/opt/novell/xad/log/ndsdcinit.log shows on the last line:
modifying entry "nLSLicenseID=SN:345678912,nLSPublisher=Novell+nLSProduct=NetWare 6 Server+nLSVersion=650,o=dsfw"
] at /opt/novell/xad/lib/perl/upgrade2sp3.pm line 106.
Resolution
Not all objects have been samified during the upgrade.
The samify adds the attribute uniquedomainid to all objects in the domain.
The uniquedomainid attribute is used to resolve if a object is located in the DSfW domain. If an object does not have this attribute the DSfW will not concider the object to be located in the domain.
For kerberos to start it needs to resolve the domain controller object which is located in the ou=Domain Controllers,dc=<domain>
If the dc object does not have uniquedomainid attribute then kerberos will fail to start.
To see if an object has the uniquedomainid use ldapsearch
See KB 7003070 for more information on using ldapsearch with DSfW
To use ldapsearch with the external method on a DSfW server first export the ldapconf
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
Then do the ldapsearch
ldapsearch -Y EXTERNAL -LLL -Q -b "cn=<dc-server>,ou=Domain Controllers,dc=<domain>" uniquedomainid
Example for a DSfW server named DSFW-S1 and a domain named DSFW.INT:
ldapsearch -Y EXTERNAL -LLL -Q -b "cn=DSFW-S1,ou=Domain Controllers,dc=DSFW,dc=INT" -s base uniquedomainid
If only the DN is returned then the object is missing the uniquedomainid attribute.
To add the uniquedomainid to an object use a ldif file.
The uniquedomainid will be 1049076 on a FRD domain (First Realm Domain) or first domain in the tree.
Example of the contents of a ldif file to add the uniquedomainid for a DSfW server named DSFW-S1 and a domain named DSFW.INT:
dn: cn=dsfw-s1,ou=Domain Controllers,dc=dsfw,dc=int
changetype: modify
add: uniquedomainid
uniquedomainid: 1049076
In this example the ldif file will be named /tmp/dc_id.ldif
To apply this ldif use ldapmodify. With the LDAPCONF already exported into the terminal do:
The syntax is ldapmodify -Y EXTERNAL -f /patch/file
If the LDAPCONF is not exported do the following:
LDAPCONF=/etc/opt/novell/xad/openldap/ldapconf /usr/bin/ldapmodify -Y EXTERNAL -f /tmp/dc_id.ldif
Verify the uniquedomainid has been added using the ldapsearch previously used.
example:
ldapsearch -Y EXTERNAL -LLL -Q -b "cn=DSFW-S1,ou=Domain Controllers,dc=DSFW,dc=INT" uniquedomainid
example of what is returned from the ldapsearch when the uniquedomainid is populated:
dn: cn=DSFW-S1,ou=Domain Controllers,dc=dsfw,dc=int
uniquedomainid: 1049076
Once the uniquedomainid has been populated on the dc object, restart the DSfW services
xadcntrl reload
The kerberos service should be running. If not gather the /var/log/message, the /var/opt/novell/xad/log/kdc.log and a ndstrace with +time, +tags, +ldap, and +nmas and troubleshoot any errors listed in the trace and log files.
After successfully restarting the services samify the partition(s) using the domaincntrl --samify command. To use the domaincntrl tool first get a kerberos ticket. To get a kerberos to do:
kinit administrator
If the following error is returned while running kinit administrator
"server not found in kerberos database while getting initial credentials"
The krbtgt object is missing the uniquedomainid aswell.
Create a ldif file for the krbtgt object and run ldapmodify
Example of the contents of a ldif file for a domain named DSFW.INT:
dn: cn=krbtgt,cn=Users,dc=dsfw,dc=int
changetype: modify
add: uniquedomainid
uniquedomainid: 1049076
Once the uniquedomainid attribute is populated on the krbtgt object the kinit command should work and all the objects in the domain can now be samified using the domaincntrl --samify command.
If kerberos still fails to start check that the mapped domain container also has the uniquedomainid.
cat the /etc/opt/novell/xad/xad.ini if unsure where the domain is mapped.
example:
cat /etc/opt/novell/xad/xad.ini |grep Mapped Domain
returns:
The Mapped Domain NC = o=novell
Make a ldif file to add uniquedomainid to the Mapped Domain container as well
dn: o=novell
changetype: modify
add: uniquedomainid
uniquedomainid: 1049076
Then run ldapmodify using the IPCEXTERNAL method.
Do /usr/bin/ldapmodify -Y EXTERNAL -f /tmp/dc_id.ldif if the LDAPCONF is exported othwise do
LDAPCONF=/etc/opt/novell/xad/openldap/ldapconf /usr/bin/ldapmodify -Y EXTERNAL -f /tmp/mappedDomain.ldif
Additional Information
If this is a name mapped install of DSfW (install into an existing tree) the container where the domain is mapped can be used instead of the domain name. So for example if the domain dc=dsfw,dc=int is mapped to a container o=dsfw, the container can be substitiuted for the dc=dsfw,dc=int for the ldapsearch and in the ldif file.
November Maint Patch on a oes2sp3 DSfW server no longer uses ancestorID to determine if an object is located within the domain. UniqueDomainID is the attribute that is used in all cases.