Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1012839.1
Update Date:2010-04-11
Keywords:

Solution Type  Technical Instruction Sure

Solution  1012839.1 :   Sun StorageTek[TM] 5000 Series NAS: Failure to join Windows Domain - interpreting log messages  


Related Items
  • Sun Storage 5210 NAS Appliance
  •  
  • Sun Storage 5220 NAS Appliance
  •  
  • Sun Storage 5310 NAS Appliance
  •  
  • Sun Storage 5320 NAS Gateway/Cluster System
  •  
  • Sun Storage 5320 NAS Appliance
  •  
  • Sun Storage 5310 NAS Gateway System
  •  
Related Categories
  • GCS>Sun Microsystems>Storage - Disk>Network Attached Storage
  •  

PreviouslyPublishedAs
217620


Description
Description
Symptoms:
  • KRB5 error code

  • Can't join Windows domain

  • How to check logs

Purpose/Scope:
To authenticate users from a Windows domain, the Sun StorageTek NAS must join the domain and/or integrate with Active Directory.

One of the best places to look for problems with this process is the NAS system log. The attempt to join the domain, whether it succeeded, and any issues encountered are logged in detail. Note that this data collection must take place as soon as possible after the failed attempt to join the domain, otherwise, the messages may no longer be present in the log.



Steps to Follow
Interpreting log messages

To check the System Log:

  1. Connect to the Sun StorageTek 5320 NAS through Telnet or a serial console.
  2. Press enter at the [menu] prompt and type the administrator password.
  3. Select option 2, Show Log. The 14 most recent syslog messages are displayed.
  4. Look for messages related to the attempt to join the domain. The first message typically contains the words browser, join domain or ads.
  5. If no messages are found, select option 1, Show Entire Log.
  6. Page through the log with the space bar, scrolling to the approximate time and
    date when you made the most recent attempt to join the domain.
  7. Look again for the messages related to joining the domain.
  8. If no applicable messages are found, repeat the attempt to join the domain, and check the log again.

(The system log can also be viewed via the Web Admin GUI:)

The following messages are examples of log messages indicating problems joining a Windows Domain or Active Directory environment, along with possible solutions:

  • Logon Failure/Access denied

The user account that is entered into the Sun StorageTek NAS Domain configuration screen must have the correct password and must have the authority to create computer accounts (or join them to the domain, if prestaged). Typically, a user account that is a member of the Domain Admins global group is used.

  • ads: DNS query for ADS host error

The DNS query for the ADS server failed. Ensure that the correct DNS servers have been configured, the correct, fully-qualified Active Directory domain name has been configured and that the configured DNS servers contain the records required for proper active directory function <Document: 1004157.1> .

  • clock skew too great

The time differential between the NAS and the selected Active Directory server is too great. Check time zone and time server settings on both the NAS and the AD server.

  • kinit: KDC has no support for encryption type.

This is a known Windows issue, in which DES encryption keys are not created for the Administrator under certain circumstances. See MS Knowledgebase article #248808 for additional information. The solution is to reset the Domain Administrator password. It is acceptable to re-enter the original password.

  • ads: minor status error: KRB5 error code 52.

This error message indicates that the packet requesting a Kerberos ticket (TGT) is too large Privilege Attribute Certificate (PAC) field, so the client should switch from UDP to TCP. The best way to reduce the size of the request is to reduce the number of group memberships.

One of the following would be the workaround for this issue :

  1. Create a new administrator account, such as "nasadmin", and ensure that this account has the minimum number of group memberships, preferably only Domain Admins. Then retry the domain join operation with this account.
  2. If above fails and customer using Windows 2003, then NAS required "Pre-Windows 2000 Compatible Access" option to be enabled. Please check the article http://support.microsoft.com/kb/325363 on how to set this option.
  3. Disable the kerberos pre-authentication for the nasadmin account being used to join to the domain. This can be done in the account's properties using "Account" tab -> "Account options" part -> "Do not require Kerberos preathentication" option.
  • ads: minor status error: KRB5 error code 68

This error that the Kerberos Realm configuration is incorrect. Determine the correct setting from the site administrators and configure manually in the NAS ADS settings.

  • kinit: Cannot resolve network address for KDC in requested realm.

Either the Kerberos Realm setting or the KDC setting is incorrect, or as above, it cannot be resolve by DNS.

  • ads: minor status error: Bad format in credentials cache
  • ads: minor status error: No credentials cache file found
  • ads: send/receive error

These indicate a misconfiguration or missing setting. Review the ADS settings per <Document: 1009920.1> 

  • Active Directory configured, but no attempt to resolve Domain Controller via DNS in system log.

This is an indication that AD is not completely configured. The most common mistake is that the container was omitted from the configuration. In this case, the attempt to join via DNS will not be made. The solution is to completely configure the AD settings.

  • No Master Browsers found for <domain>
  • Join domain [local]: locate failed

These error messages indicate that a domain controller could not be found. They also indicate that the Active Directory integration, if configured, has failed, and the NAS is now trying to join the domain via NetBIOS. If trying to integrate with Active Directory, look for an error message earlier in the log. If Active Directory is not configured, see <Document: 1009958.1>  



Product
Sun StorageTek 5320 NAS Gateway/Cluster System
Sun StorageTek 5320 NAS Appliance
Sun StorageTek 5320
Sun StorageTek 5310 NAS Gateway/Cluster System
Sun StorageTek 5310 NAS Gateway System
Sun StorageTek 5310 NAS Appliance
Sun StorageTek 5220 NAS Appliance
Sun StorageTek 5220
Sun StorageTek 5210 NAS Appliance

Internal Comments
This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below:

storage-nas-domain@sun.com

The Knowledge Work Queue for this article is KNO-STO-NAS.

NAS, active directory, CIFS, log messages, KRB5 error code, ADS, minor status error, No Master Browsers found for, audited, normalized
Previously Published As
89215

Change History
Date: 2010-04-08
User Name: 79977
Action: Currency check
Comment: Verified still current with Content Lead, william.harper@oracle.com
Date: 2007-12-20
User Name: 95826
Action: Approved
Comment: - verified metadata
- changed review date to 2008-12-12
- checked for TM - none added, added 'Sun' in the title
- checked audience : contract
Publishing
Version: 6
Date: 2007-12-18
User Name: 95826
Action: Accept
Comment:
Version: 0
Date: 2007-12-18
User Name: 102104
Action: Approved
Comment: Review done for this updated document.
Version: 0
Date: 2007-12-18
User Name: 102104
Action: Accept
Comment:
Version: 0
Date: 2007-12-11
User Name: 160775
Action: Add Comment


Change History
ef8d4cb2-9cd6-11da-85b4-080020a9ed93 | Sun StorageTek 5320 NAS Gateway/Cluster System

27ca3082-cb13-11da-857a-080020a9ed93 | Sun StorageTek 5320 NAS Appliance
9d23ea64-a8be-11da-85b4-080020a9ed93 | Sun StorageTek 5320
fb861199-9cd7-11da-85b4-080020a9ed93 | Sun StorageTek 5310 NAS Gateway/Cluster System
8a8b6eeb-092e-11da-99bc-080020a9ed93 | Sun StorageTek 5310 NAS Gateway System
63654ce5-f88d-11d8-ab63-080020a9ed93 | Sun StorageTek 5310 NAS Appliance
a656fa3d-fc97-11da-ac3d-080020a9ed93 | Sun StorageTek 5220 NAS Appliance
a656fa3d-fc97-11da-ac3d-080020a9ed93 | Sun StorageTek 5220
d4e4fc3d-7c3f-11d8-9e3a-080020a9ed93 | Sun StorageTek 5210 NAS Appliance

Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback