Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1804: dad failed to establish GSS/Kerberos context

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:02 AM

Applies to: All version of Centrify DirectAudit
 
Problem:
dainfo - -diag shows dad is offline with error message: Failed to establish GSS/Kerberos context
 
dainfo --diag
Establishing connection with dad: Success
Getting dad's online status: Offline
Getting dad's current collector:
Getting dad's offline db size: 0.00 Bytes
Getting offline database information:
Size on disk: 16.00 KB
Database filesystem usage: 3.69 GB used, 8.50 GB total, 4.80 GB free
Machine is Joined to test.net
Pinging adclient: Available
Zone is enabled for auditing
Located collector information from test.net/Program Data/Centrify/Zones/test:
CDA001$@TEST.NET:CDA001.test.net:4444
Attempting to connect to collectors:
Host: CDA001.test.net Port: 4444 - Error: Failed to establish GSS/Kerberos
context
Direct Audit is NOT enabled on the following:
/sbin/sh
/usr/bin/csh
/usr/bin/keysh
/usr/bin/ksh
/usr/bin/rksh
/usr/bin/rsh
/usr/bin/sh
 
Cause:
Kerberos authentication is not possible for services without properly set Service Principal Names (SPNs). SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. In the other words, setting improper account to run DirectAudit Collector service will cause this issue.
 
Solution:
You can identify the logon account for DirectAudit Collector service by following steps.
  1. Go to Administrative tools -> Service.
  2. Search “Centrify DirectAudit Collector”, Right-click and select Properties.
  3. Go to Log on tab, you should see the logon account name.
If it is set to use “Local System Account”, it should be fine. Please contact Centrify support for further investigation.

If it is configure to use service account or AD user account, please check the account is valid and password does not expire.
 
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.