Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2948: adjoin --selfserve fails in RODC environment

Authentication Service ,  

12 April,16 at 11:13 AM

Applies to: DirectManage Access Manager/Console earlier than 2013/5.1
 
Problem:
 
Joining to RODC (Read Only Domain Controller) fails after a successful precreate of the computer object using DirectManage Access Manager/Console. 
 
The following command was used to do the join
 
#usr/share/centrifydc/libexec/adjoin -V -u username -z "Zone name" -s DomainController Domain
 
Cause:
 
To do adjoin using RODC, 
 
1)  On DirectManage Access Manager/Console, the Unix computer object must first be pre-created on a RWDC (Read Write Domain Controller) first and then flagged to allow selfserve join.
 
2)  On the Unix server, join with -S (--selfserve).
 
 
If the join is successful, but the adclient is stuck in "starting mode":
 
CentrifyDC mode:   starting
 
The reason is /etc/krb5/krb5.keytab is not generated. This can be verified by running #klist -kt on the Unix server and it will come back with no keytab entries.
 
The problem is the DirectManage 5.0.2 console has a known issue when pre-creating computers where it does not fill in the SPN (service principal name) list.
 
Using Microsoft's ADSIedit tool, one can examine the attributes of the computer object. The UI did not create the SPNs for the same.
 
Resolution:
 
This has been fixed in Suite 2013/5.1.0 console. Clean up everything in AD and then upgrade to Centrify Suite 2013 before doing the self-serve join.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-2921: adjoining with the self-serve flag fails with "Preauth" error messages in logs articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-3444: Authentication fails when kvno values go out of sync in RODC environments articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-2346: adjoin self-serve fails for precreated computer with hostname > 15 chars, in disjointed DNS with error:Constraint violation : 0000200B:.., Att 9026b (dNSHostName) articleKB-2962: adjoin self-serve fails for pre-created computer with hostname > 15 chars with error:get creds: Client not found in Kerberos database