Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1425: adclient goes into "disconnected mode"

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

25 April,16 at 04:40 PM

Applies to: All versions of Centrify DirectControl.

Problem:

adclient is in "disconnected mode" and the following warning is shown:
  • Machine account password changed, reset machine account

The following entries are also seen in centrifydc.log:
 
Oct 6 11:43:52 myhost adclient[3600]: INFO <bg:ageBindings> base.bind.healing Lost connection to dc02. Running in disconnected mode: KDC refused skey: Preauthentication failed
Oct 6 11:43:52 myhost adclient[3600]: INFO <bg:ageBindings> base.bind.healing Lost connection to dc02 (GC).
Running in disconnected mode: KDC refused skey: Preauthentication failed
Oct 6 11:43:52 myhost adclient[3600]: ERROR <bg:ageBindings> base.adagent Can't use default machine password. Please reset computer account in Active Directory


Cause:

There are several reasons why adclient can go into disconnected mode.

In this particular example, either the computer password expired and was not renewed, or due to replication delays - the password could have gone out of sync.

See also:


Solution:

It is possible to reset the computer account either using ADUC or using adkeytab command on the client side:

Using ADUC:

 
In ADUC, right click on the Computer object, select "Reset Account".
From Centrify server, restart Centrify and run

#/usr/bin/adinfo -V

On client side:

As root, run the command

#/usr/sbin/adkeytab -C

or
 
adkeytab -r
 
or 
 
as run the same account with an account which has sufficient privileges to reset computer account (set by Windows Admin to allow ADuser to reset computer password) or perform adjoin.
 
#/usr/sbin/adkeytab -C -u <username>
#/usr/sbin/adkeytab -m -C
 

Notes:
  • If the machine is in disconnected mode and above log messages do not appear, then the correct procedure is to run a debug and contact Centrify Support. 
  • Machine password renewal can be turned off (for testing purposes only) in /etc/centrifydc/centrifydc.conf by making the following change and running adreload.
    • adclient.krb5.password.change.interval: 0
    • (Default is 28 days)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.