Problem:
adclient is in "disconnected mode" and the following warning is shown:
- Machine account password changed, reset machine account
The following entries are also seen in centrifydc.log:
Oct 6 11:43:52 myhost adclient[3600]: INFO <bg:ageBindings> base.bind.healing Lost connection to dc02. Running in disconnected mode: KDC refused skey: Preauthentication failed
Oct 6 11:43:52 myhost adclient[3600]: INFO <bg:ageBindings> base.bind.healing Lost connection to dc02 (GC).
Running in disconnected mode: KDC refused skey: Preauthentication failed
Oct 6 11:43:52 myhost adclient[3600]: ERROR <bg:ageBindings> base.adagent Can't use default machine password. Please reset computer account in Active Directory
Cause:
There are several reasons why adclient can go into disconnected mode.
In this particular example, either the computer password expired and was not renewed, or due to replication delays - the password could have gone out of sync.
See also:
Solution:
It is possible to reset the computer account either using ADUC or using adkeytab command on the client side:
Using ADUC:
In ADUC, right click on the Computer object, select "Reset Account".
On Unix/Linux client, restart Centrify DirectControl service.
e.g.
/etc/init.d/centrifydc restart
Or reset computer object directly on Unix/Linux client:
adkeytab -r -u <AD user with reset computer prviliege>
e.g.
adkeytab -r -u administrator@domain
Notes:
- If the machine is in disconnected mode and above log messages do not appear, then the correct procedure is to run a debug and contact Centrify Support.
- Machine password renewal can be turned off (for testing purposes only) in /etc/centrifydc/centrifydc.conf by making the following change and running adreload.
- adclient.krb5.password.change.interval: 0
- (Default is 28 days)