12 April,16 at 11:09 AM
Applies to: Centrify DirectControl 4.4.3 and below on all platforms.
Problem:
After joining the adclient to a Windows 2008 domain, the adclient mode stays on "starting" with following entries recorded in log.
Nov 9 15:38:15 host adclient[4520]: DEBUG <bg:ageBindings> base.kerberos.adhelpers No preferred enctype is set. Trying centrifydc.conf enctype list
Nov 9 15:38:15 host adclient[4520]: DEBUG <bg:ageBindings> base.adagent Domain Level for '' is not PreW2K8
Nov 9 15:38:15 host adclient[4520]: DEBUG <bg:ageBindings> base.adagent Domain Level for 'domain.com' is not PreW2K8
Nov 9 15:38:15 host adclient[4520]: DEBUG <bg:ageBindings> dns.findkdc KDC locator for DOMAIN.COM
Nov 9 15:38:15 host last message repeated 11 times Nov 9 15:38:15 d01svr71 adclient[4520]: DEBUG <bg:ageBindings> base.kerberos.adhelpers Encryption (id 1) is not supported by KDC. Try next in the list
Nov 9 15:38:15 host adclient[4520]: DEBUG <bg:ageBindings> base.osutil Module=Kerberos : KDC refused skey: KDC has no support for encryption type (reference base/adhelpers.cpp:216 rc: -1765328370)
Nov 9 15:38:15 host adclient[4520]: DEBUG <bg:ageBindings> base.bind.cache postStart/getInitCreds threw: KDC refused skey: KDC has no support for encryption type
Nov 9 15:38:15 host adclient[4520]: DEBUG <bg:ageBindings> base.bind.healing unexpected disconnect reconnect dc1.domain.com failed: KDC refused skey: KDC has no support for encryption type
Cause:
This is because Windows 2008 does not support DES.
Workaround:
1. Log on the host as root
2. Edit the file /etc/centrifydc/centrifydc.conf as follows:
adclient.krb5.tkt.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5
adclient.krb5.permitted.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5
3. Remove krb5.ccache & krb5.conf under /etc.
4. Restart adclient
Resolution:
This is fixed in Centrify DirectControl 4.4.4 and above.