Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2948: adjoin --selfserve fails in RODC environment

Authentication Service ,  

12 April,16 at 11:13 AM

Applies to: DirectManage Access Manager/Console earlier than 2013/5.1
Joining to RODC (Read Only Domain Controller) fails after a successful precreate of the computer object using DirectManage Access Manager/Console. 
The following command was used to do the join
#usr/share/centrifydc/libexec/adjoin -V -u username -z "Zone name" -s DomainController Domain
To do adjoin using RODC, 
1)  On DirectManage Access Manager/Console, the Unix computer object must first be pre-created on a RWDC (Read Write Domain Controller) first and then flagged to allow selfserve join.
2)  On the Unix server, join with -S (--selfserve).
If the join is successful, but the adclient is stuck in "starting mode":
CentrifyDC mode:   starting
The reason is /etc/krb5/krb5.keytab is not generated. This can be verified by running #klist -kt on the Unix server and it will come back with no keytab entries.
The problem is the DirectManage 5.0.2 console has a known issue when pre-creating computers where it does not fill in the SPN (service principal name) list.
Using Microsoft's ADSIedit tool, one can examine the attributes of the computer object. The UI did not create the SPNs for the same.
This has been fixed in Suite 2013/5.1.0 console. Clean up everything in AD and then upgrade to Centrify Suite 2013 before doing the self-serve join.