Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-30049: adclient is in "disconnected mode" after machine password change

Authentication Service ,  

19 March,20 at 10:31 PM

Problem:
adclient becomes disconnected after the machine password is changed in AD on older Linux/UNIX Web Server systems.

Cause:
The krb5.keytab has a file lock on it by httpd. Use the command lsof |grep krb5.keytab to determine if httpd has a read lock on the keytab file. The command will return something like "5rR" on the forth column of the output. The "5" is the file descriptor no., the "r" means opened for "read", and "R" means there's a read lock on the entire file.
The read lock causes an issue with the process that adclient takes to update the keytab file:
  1.  adclient creates a temporary file, something like /etc.krb5.keytab.abcdef
  2.  adclient copies /etc/krb5.keytab to /etc.krb5.keytab.abcdef             
  3.  adclient renames /etc/krb5.keytab to /etc/krb5.keytab.swp
  4.  adclient renames /etc/krb5.keytab.abcdef to /etc/krb5.keytab
  5.  adclient renames /etc/krb5.keytab.swp to /etc/krb5.keytab.abcdef
  6.  adclient update contents in /etc/krb5.keytab.abcdef
  7.  adclient renames /etc/krb5.keytab.abcdef to /etc/krb5.keytab
(adclient follows this process so that the original krb5.keytab file's OS-specific attributes, like ACL, can be kept.)

 If httpd has a shared/read lock on /etc/krb5.keytab before step #2,
    at step #3, the lock will be transferred to /etc/krb5.keytab.swp
    at step #5, the lock will be transferred to /etc/krb5.keytab.abcdef
    at step #6, adclient will not be able to get an exclusive/write lock on /etc/krb5.keytab.abcdef


Solution:
Update the version of libc-client and configure php-imap and httpd to use it or provide httpd an alternate krb5.keytab file to read from.

The steps to configure httpd to use an alternate keytab file are below:


1. As root, run cp --preserve=all /etc/krb5.keytab /etc/krb5.keytab.httpd
2. Add the following two lines into /etc/sysconfig/httpd:

 
KRB5_KTNAME=/etc/krb5.keytab.httpd
export KRB5_KTNAME

3. Restart the httpd service
4. As root, run
lsof | grep krb5.keytab , then check if httpd picked up the change and has removed the read lock on the krb5.keytab file and is now using the krb5.keytab.httpd file.
5. A cron job can now be set up to sync the krb5.keytab.httpd file when the krb5.keytab file is updated.

 
#!/bin/bash

if [ ! -f /etc/krb5.keytab.httpd -o /etc/krb5.keytab -nt /etc/krb5.keytab.httpd ];
then
    cp --preserve=all /etc/krb5.keytab /etc/krb5.keytab.httpd
fi
(This sample script will only update the krb5.keytab.httpd file when krb5.keytab is changed.)
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.