Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1425: adclient goes into "disconnected mode"

Authentication Service ,   Mac & PC Management Service ,  

25 November,19 at 11:04 PM

Problem:

adclient is in "disconnected mode" and the following warning is shown:
  • Machine account password changed, reset machine account

The following entries are also seen in centrifydc.log:
 
Oct 6 11:43:52 myhost adclient[3600]: INFO <bg:ageBindings> base.bind.healing Lost connection to dc02. Running in disconnected mode: KDC refused skey: Preauthentication failed
Oct 6 11:43:52 myhost adclient[3600]: INFO <bg:ageBindings> base.bind.healing Lost connection to dc02 (GC).
Running in disconnected mode: KDC refused skey: Preauthentication failed
Oct 6 11:43:52 myhost adclient[3600]: ERROR <bg:ageBindings> base.adagent Can't use default machine password. Please reset computer account in Active Directory


Cause:

There are several reasons why adclient can go into disconnected mode.

In this particular example, either the computer password expired and was not renewed, or due to replication delays - the password could have gone out of sync.

See also:


Solution:

It is possible to reset the computer account either using ADUC or using adkeytab command on the client side:

Using ADUC:

 
In ADUC, right click on the Computer object, select "Reset Account".
On Unix/Linux client, restart Centrify DirectControl service.
e.g.
/etc/init.d/centrifydc restart
 
Or reset computer object directly on Unix/Linux client:
adkeytab -r -u <AD user with reset computer prviliege>

e.g.
adkeytab -r -u administrator@domain
 

Notes:
  • If the machine is in disconnected mode and above log messages do not appear, then the correct procedure is to run a debug and contact Centrify Support. 
  • Machine password renewal can be turned off (for testing purposes only) in /etc/centrifydc/centrifydc.conf by making the following change and running adreload.
    • adclient.krb5.password.change.interval: 0
    • (Default is 28 days)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.