Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1012839.1
Update Date:2017-02-25
Keywords:
Solution Type  Technical Instruction Sure

Solution  1012839.1 :   Sun StorageTek[TM] 5000 Series NAS: Failure to join Windows Domain - interpreting log messages  

Related Items 
    

  • Sun Storage 5310 NAS Gateway System
    •  
  • Sun Storage 5220 NAS Appliance
    •  
  • Sun Storage 5210 NAS Appliance
    •  
  • Sun Storage 5310 NAS Appliance
    •  
  • Sun Storage 5320 NAS Appliance
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: SE5xxx NAS
    •  
  • _Old GCS Categories>Sun Microsystems>Storage - Disk>Network Attached Storage
    •  

PreviouslyPublishedAs
217620 


Applies to:  

Sun Storage 5310 NAS Gateway System - Version All Versions and later
Sun Storage 5320 NAS Appliance - Version All Versions and later
Sun Storage 5310 NAS Appliance - Version All Versions and later
Sun Storage 5220 NAS Appliance - Version All Versions and later
Sun Storage 5210 NAS Appliance - Version All Versions and later
All Platforms



Goal


To authenticate users from a Windows domain, the Sun StorageTek NAS must join the domain and/or integrate with Active Directory.


One of the best places to look for problems with this process is the NAS system log.


The attempt to join the domain, whether it succeeded, and any issues encountered are logged in detail. Note that this data collection must take place as soon as possible after the failed attempt to join the domain, otherwise, the messages may no longer be present in the log.


 


Solution


Symptoms:


    

  • 

    KRB5 error code
    

    • 

  • 

    Can't join Windows domain
    

    • 

  • 

    How to check logs
    

    • 





Steps to Follow
Interpreting log messages


To check the System Log:


    

  1. Connect to the Sun StorageTek 5320 NAS through Telnet or a serial console.
    2. 

  2. Press enter at the [menu] prompt and type the administrator password.
    3. 

  3. Select option 2, Show Log. The 14 most recent syslog messages are displayed.
    4. 

  4. Look for messages related to the attempt to join the domain. The first message typically contains the words browser, join domain or ads.
    5. 

  5. If no messages are found, select option 1, Show Entire Log.
    6. 

  6. Page through the log with the space bar, scrolling to the approximate time and
    date when you made the most recent attempt to join the domain.
    7. 

  7. Look again for the messages related to joining the domain.
    8. 

  8. If no applicable messages are found, repeat the attempt to join the domain, and check the log again.
    9. 



(The system log can also be viewed via the Web Admin GUI:)


The following messages are examples of log messages indicating problems joining a Windows Domain or Active Directory environment, along with possible solutions:


    

  • Logon Failure/Access denied
    • 



The user account that is entered into the Sun StorageTek NAS Domain configuration screen must have the correct password and must have the authority to create computer accounts (or join them to the domain, if prestaged). Typically, a user account that is a member of the Domain Admins global group is used.


    

  • ads: DNS query for ADS host error
    • 



The DNS query for the ADS server failed. Ensure that the correct DNS servers have been configured, the correct, fully-qualified Active Directory domain name has been configured and that the configured DNS servers contain the records required for proper active directory function - See Document: 1004157.1


    

  • clock skew too great
    • 



The time differential between the NAS and the selected Active Directory server is too great. Check time zone and time server settings on both the NAS and the AD server.


    

  • kinit: KDC has no support for encryption type.
    • 



This is a known Windows issue, in which DES encryption keys are not created for the Administrator under certain circumstances. See MS Knowledgebase article #248808 for additional information. The solution is to reset the Domain Administrator password. It is acceptable to re-enter the original password.


    

  • ads: minor status error: KRB5 error code 52.
    • 



This error message indicates that the packet requesting a Kerberos ticket (TGT) is too large Privilege Attribute Certificate (PAC) field, so the client should switch from UDP to TCP. The best way to reduce the size of the request is to reduce the number of group memberships.


One of the following would be the workaround for this issue :


    

  1. Create a new administrator account, such as "nasadmin", and ensure that this account has the minimum number of group memberships, preferably only Domain Admins. Then retry the domain join operation with this account.
    2. 

  2. If above fails and customer using Windows 2003, then NAS required "Pre-Windows 2000 Compatible Access" option to be enabled. Please check the article http://support.microsoft.com/kb/325363 on how to set this option.
    3. 

  3. Disable the kerberos pre-authentication for the nasadmin account being used to join to the domain. This can be done in the account's properties using "Account" tab -> "Account options" part -> "Do not require Kerberos preathentication" option.
    4. 



    

  • ads: minor status error: KRB5 error code 68
    • 



This error that the Kerberos Realm configuration is incorrect. Determine the correct setting from the site administrators and configure manually in the NAS ADS settings.


    

  • kinit: Cannot resolve network address for KDC in requested realm.
    • 



Either the Kerberos Realm setting or the KDC setting is incorrect, or as above, it cannot be resolve by DNS.


    

  • ads: minor status error: Bad format in credentials cache
    • 

  • ads: minor status error: No credentials cache file found
    • 

  • ads: send/receive error
    • 



These indicate a misconfiguration or missing setting. Review the ADS settings per Document: 1009920.1


    

  • Active Directory configured, but no attempt to resolve Domain Controller via DNS in system log.
    • 



This is an indication that AD is not completely configured. The most common mistake is that the container was omitted from the configuration. In this case, the attempt to join via DNS will not be made. The solution is to completely configure the AD settings.


    

  • No Master Browsers found for <domain>
    • 

  • Join domain [local]: locate failed
    • 



These error messages indicate that a domain controller could not be found. They also indicate that the Active Directory integration, if configured, has failed, and the NAS is now trying to join the domain via NetBIOS. If trying to integrate with Active Directory, look for an error message earlier in the log. If Active Directory is not configured, see Document: 1009958.1






Internal Comments


This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains.
NAS, active directory, CIFS, log messages, KRB5 error code, ADS, minor status error, No Master Browsers found for, audited, normalized



Previously Published As
89215

Change History
Date: 2010-04-08
User Name: 79977
Action: Currency check
Comment: Verified still current with Content Lead, william.harper@oracle.com
Date: 2007-12-20
User Name: 95826
Action: Approved
Comment: - verified metadata
 - changed review date to 2008-12-12
- checked for TM - none added, added 'Sun' in the title
- checked audience : contract
Publishing
Version: 6
Date: 2007-12-18
User Name: 102104
Action: Approved
Comment: Review done for this updated document.
Version: 0


***Checked for relevance on 21-Nov-2012***


***Checked for relevance on 24-Sep-2015***


***Checked for relevance on 25-Feb-2017***



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback