adclient is in "disconnected mode" and the following warning is shown:
- Machine account password changed, reset machine account
The following entries are also seen in centrifydc.log:
Oct 6 11:43:52 myhost adclient: INFO <bg:ageBindings> base.bind.healing Lost connection to dc02. Running in disconnected mode: KDC refused skey: Preauthentication failed
Oct 6 11:43:52 myhost adclient: INFO <bg:ageBindings> base.bind.healing Lost connection to dc02 (GC).
Running in disconnected mode: KDC refused skey: Preauthentication failed
Oct 6 11:43:52 myhost adclient: ERROR <bg:ageBindings> base.adagent Can't use default machine password. Please reset computer account in Active Directory
There are several reasons why adclient can go into disconnected mode.
In this particular example, either the computer password expired and was not renewed, or due to replication delays - the password could have gone out of sync.
It is possible to reset the computer account either using ADUC or using adkeytab command on the client side:
In ADUC, right click on the Computer object, select "Reset Account".
From Centrify server, restart Centrify and run
On client side:
As root, run the command
as run the same account with an account which has sufficient privileges to reset computer account (set by Windows Admin to allow ADuser to reset computer password) or perform adjoin.
#/usr/sbin/adkeytab -C -u <username>
#/usr/sbin/adkeytab -m -C
- If the machine is in disconnected mode and above log messages do not appear, then the correct procedure is to run a debug and contact Centrify Support.
- Machine password renewal can be turned off (for testing purposes only) in /etc/centrifydc/centrifydc.conf by making the following change and running adreload.
- adclient.krb5.password.change.interval: 0
- (Default is 28 days)