Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2067: adinfo "joined as" does not update after dns suffix changes

Centrify DirectControl ,  

12 April,16 at 11:47 AM

Applies to:
 
All versions of Centrify DirectControl.
 
Question:
 
After changing the dns suffix on a Centrified-server, adinfo still shows the old DNS suffix in 
adinfo command. Rebooting Centrify server does not help and logins work fine. Will this affect 
Kerberos or NTLM authentication?
 
Additional information:
 
In the below example, the local host name is called "rhls64" joined to AD domain abc.com with a dns suffix of xyz.com
 
Prior to DNS change:
 
Local host name:   rhls64
Joined to domain:  abc.com
Joined as:         rhls64.xyz.com
Pre-win2K name:    rhls64
Current DC:        stordc2.abc.com
Preferred site:    California
Zone:              abc.com/EngUnix/zones/design
CentrifyDC mode:   connected
Licensed Features: Enabled
 
Note:  The "joined as" is showing .xyz.com, but the domain this system was joined to is 
abc.com.
 
After converting this system's FQDN from xyz.com to abc.com DNS by updating 
/etc/resolv.conf, /etc/hosts, /etc/sysconfig/network (RedHat) and rebooting, the system will 
continue to work but adinfo will show the same output as shown below.
 
"Joined as:      rhls64.xyz.com" 
 
Is there any reason?
 
Answer:
 
It will affect Kerberos at some point and so its good to fix it.
 
adinfo reports these names from the following:
 
a) The Local host name is got from "gethostname" function.
 
b) The "joined as" info is got from /var/centrifydc/kset.host of the Centrify Unix server.
 
Note: The kset.host file is used for boot straping adclient. The name is used to construct the 
 
SPN (Service Principal Name) for the host wherever it is needed - like verifying user login (by 
trying to get this ticket), SPN for S4U2SELF, and a bunch of things. 
 
The short hostname should not be changed at any cost and and only the DNS suffix can be 
changed. Customers should also be aware of "dnshostname" which has to be changed using 
Microsoft's ADSIedit in AD.
 
The easiest way is to do an adleave and adjoin again. If this is an issue, then user should make sure both set of names exist in the computer object spn and in keytab files. 
 
Please follow these steps (if leave and join is not possible)
 
In the below example, the system was joined with a name of "abc.net" and its DNS suffix was 
changed to "iltest.net". 
 
[root@rhls64 ~]# adinfo
Local host name:   rhls64
Joined to domain:  abc.net
Joined as:         rhls64.abc.net
Pre-win2K name:    rhls64
Current DC:        dc2.abc.net
Preferred site:    Default-First-Site-Name
Zone:              abc.net/Program Data/Centrify/Zones/Linux
Last password set: 2011-07-26 05:57:56 PDT
CentrifyDC mode:   connected
Licensed Features: Enabled
 
1) Run the adinfo -C command (as root) will display the current SPNs for this server.
 
[root@rhls64 ~]# adinfo -C 
 
 -c OR --computer option displays  the  service  principal names (SPNs) associated with the 
 
computer account.
 
Computer Account Diagnostics
  Joined as: rhls64
  Key Version: 2
  Service Principal Names: nfs/rhls64.abc.net
                           nfs/rhls64
                           http/rhls64.abc.net
                           http/rhls64
                           host/rhls64.abc.net
                           host/rhls64
                           ftp/rhls64.abc.net
                           ftp/rhls64
                           cifs/rhls64.abc.net
                           cifs/rhls64
 
2) Run the adkeytab command (as root) to add the correct SPN. In this case, "iltest.net" is the 
new DNS suffix.
 
[root@rhls64 ~]# /usr/sbin/adkeytab -a -P host/rhls64.iltest.net
Administrator@ILTEST.NET's password:
Success: Add SPNs: Default Key Tab
 
where -a "adds" a service principal  to  an  existing account  in Active Directory and generates 
the appropriate keys for  the new service principal in the account's keytab file. If you  don't  
specify  an account-name , the adkeytab command adds the  service  principal  to  the  
computer account in the currently joined domain.
 
-P or  --principal principal "specifies the service principal to add to the specified key table".  You  must specify  at  least  one service principal. To specify multiple service principals, use this option multiple times. For the principal argument, type the  service  type  of
the  service principal you want to add. You can specify the principal by:
          - Service type alone (http)
          - Service type and the host name or alias (http/firefly)
          - Service type and the fully-qualified domain name (http/firefly.arcade.com)
 
          If you use the service type alone, the adkeytab command then generates the full principal name by expanding the short name to include the account  name  at  this computer,  creating a fully-qualified domain name (FQDN) for the service principal account. 
 
3) Locate this computer object in AD and modify the DNShostname and service connection 
point using Microsoft's ADsiedit. Navigate to the Container/OU where the server is joined to.  You should see an attribute called *dNSHostName. Change it to rhls64.iltest.net. Also change the scp (service connection point)  in the zone computer container to match the dnshostname. 
 
4) Change /var/centrifydc/kset.host file as follows:
 
[root@rhls64 ~]# echo -n "rhls64.iltest.net" > /var/centrifydc/kset.host
 
5) If you run adinfo, you will see the correct info when adinfo is executed.
 
[root@rhls64 ~]# adinfo
Local host name:   rhls64
Joined to domain:  iltest.net
Joined as:         rhls64.iltest.net
Pre-win2K name:    rhls64
Current DC:        dc2.iltest.net
Preferred site:    Default-First-Site-Name
Zone:              iltest.net/Program Data/Centrify/Zones/Linux
Last password set: 2011-07-26 05:57:56 PDT
CentrifyDC mode:   connected
Licensed Features: Enabled
 
6) Now if an attempt is made to login to this system, the login will fail with the below message in the logs.
 
Jul 26 06:00:32 rhls64 adclient[19146]: WARN  <fd:24 PAMVerifyPassword>
base.aduser Can't find service host/rhls64.abc.net.  Run adinfo --diag to check
for multiple computer accounts with the same SPN. Check that the local
computer's Active Directory object's servicePrincipalName value has not been
deleted.  Check for replication errors.
Jul 26 06:00:32 rhls64 adclient[19146]: DEBUG <fd:24 PAMVerifyPassword>
base.osutil Module=Kerberos : while getting service credentials: Server not
found in Kerberos database (reference base/aduser.cpp:1217 rc: -1765328377)
 
7) At this point, restart Centrify from /etc/init.d and logins & adinfo should work fine.
 
 
*Note:  You can use ldapmodify command to modify the DNShost entry.
See link http://www.ghacks.net/2010/09/03/modify-ldap-entries-with-the-ldapmodify-command/ (this link was provided as a courtesy only. Centrify will not take any responsibility for the content or the availability of the same)

Customer can have a file generated with some scripting like:

dn:<dn of computer object which can get from adquery user -D computerobject,
(but need to do some extra text processing to change capitals letter into small
capitals)

changetype: modify
replace: dNSHostName
dNSHostName:<fqdn

see below example:

root@rhls64 ~]# /usr/share/centrifydc/bin/ldapmodify -m -f /tmp/ldap.test
 SASL/GSSAPI authentication started
 SASL SSF: 56
 SASL installing layers
 modifying entry "cn=rhls64,cn=computers,dc=iltest,dc=net"

 [root@rhls64 ~]# cat /tmp/ldap.test
 dn: cn=rhls64,cn=computers,dc=iltest,dc=net
 changetype: modify
 replace: dNSHostName
 dNSHostName: rhls64.iltest.net

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.