DSFW install fails in “Set Credentials for Accounts”

  • 7004954
  • 01-Dec-2009
  • 09-May-2013

Environment

Novell Open Enterprise Server 11.1 (OE11 2SP1)
Novell Open Enterprise Server 2 SP2 (OES 2SP2)
Domain Services for Windows 
DSFW 

Situation

Installing DSFW fails during the "Set Credentials for Accounts”

The domain controller's password is failing to be set because the connection to eDirectory is timing out before the password is set.

The /var/opt/novell/xad/log/provision.log shows the following:

>>>Setting krbtgt password
Changing password for krbtgt...
Bootstrapping machine
>>>Setting machine password and configuring Kerberos keytab
Changing password for DC1$...
Failed to connect to local domain controller: Timed out
chgrp: cannot access `/var/opt/novell/xad/ds/krb5kdc/krb5.keytab': No such file or directory
>>>Setting Administrator password
Changing password for Administrator...

2009-11-15 12:27:15 Post-check to set default password Passed
2009-11-15 12:27:15,938 INFO - Set Default Passwords for Accounts:Set Default Passwords for Accounts returned.

Resolution

The time out is under investigation by development.
The work around is to manually set the the domain controller account's password, create the keytab file with correct group and permissions, and the symbolic link to the /etc folder.

Below is an example of setting the password for a domain controller named DC1, changing the permissions, changing the group, and creating a symbolic link to the krb5.keytab in the /etc folder.

$ /opt/novell/xad/sbin/setpassword -DNOSf -r -k /var/opt/novell/xad/ds/krb5kdc/krb5.keytab -u DC1$
$ chmod 640 /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
$ chgrp named /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
$ ln -sf /var/opt/novell/xad/ds/krb5kdc/krb5.keytab /etc

Additional Information

Once the password is set and the keytab is created the the "Set Credentials for Account" can be skipped if it returns an error and the "Enable Kerberos" section in the provisioning wizard can be ran.

A new parameter has been added to setpassword to allow creation of mixed case principal names in the keytab. The new parameter is -E
You will need to be at the current code level to have this option. To verify if it is available you can use 'setpassword --help' and it will list all available parameters.
 
Create a new keytab with the following command. Substitute your server name in the -u paramenter and your mixed case server name(s) in the -E parameter. Be sure to include the $ at the end of the -u server name.

setpassword -NDSOf -r -E DomainServer -k /var/opt/novell/xad/ds/kerb5kdc/krb5.keytab -u DOMAINSERVER$
 
Example setting multiple mixed case names:

setpassword -NDSOf -r -E DomainServer,domainSERVER,DOMAINserver -k /var/opt/novell/xad/ds/kerb5kdc/krb5.keytab -u
DOMAINSERVER$