vCAC Identity Appliance AD join: OU format invalid

XModem · ‎01-24-2014

Hey everyone

When I try to join the vCAC 6.0 Identity Appliance to a Windows 2012 Server Active Directory I'm getting this error:

It seems to me that it might be related to 2012 AD. Any ideas?

- Jonas

nikolovk · ‎01-25-2014

Jonas,

You can try to specify the domain user in a DN format.

Thanks

admin · ‎02-02-2014

I'm getting the same error. In fact, I've re-deployed the appliance 3 times and still am getting the same error.

AD: 2012

Identity Appliance: 2.0.0 Build 1445146

I went so far as to duplicate config-page.py, modify the python script to dump the credentials being passed to execute the domainjoin-cli command. The credentials are correct.

I then manually executed the domainjoin-cli command with extra parameters to dump some more information.

Command: ./domainjoin-cli --loglevel verbose --logfile outter.txt join vcloud.local Administrator

outter.txt output

...

20140202131201:WARNING:Short domain name not specified. Defaulting to 'vcloud'

20140202131201:VERBOSE:Setting krb5 name value 'default_realm' to 'VCLOUD.LOCAL'

20140202131201:VERBOSE:Adding child 'default_realm' to 'libdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'default_tgs_enctypes' to 'RC4-HMAC DES-CBC-MD5 DES-CBC-CRC'

20140202131201:VERBOSE:Adding child 'default_tgs_enctypes' to 'libdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'default_tkt_enctypes' to 'RC4-HMAC DES-CBC-MD5 DES-CBC-CRC'

20140202131201:VERBOSE:Adding child 'default_tkt_enctypes' to 'libdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'preferred_enctypes' to 'RC4-HMAC DES-CBC-MD5 DES-CBC-CRC'

20140202131201:VERBOSE:Adding child 'preferred_enctypes' to 'libdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'dns_lookup_kdc' to 'true'

20140202131201:VERBOSE:Adding child 'dns_lookup_kdc' to 'libdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'pkinit_kdc_hostname' to '<DNS>'

20140202131201:VERBOSE:Adding child 'pkinit_kdc_hostname' to 'libdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'pkinit_anchors' to 'DIR:/var/lib/likewise/trusted_certs'

20140202131201:VERBOSE:Adding child 'pkinit_anchors' to 'libdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'pkinit_cert_match' to '&&<EKU>msScLogin<PRINCIPAL>'

20140202131201:VERBOSE:Adding child 'pkinit_cert_match' to 'libdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'pkinit_eku_checking' to 'kpServerAuth'

20140202131201:VERBOSE:Adding child 'pkinit_eku_checking' to 'libdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'pkinit_win2k_require_binding' to 'false'

20140202131201:VERBOSE:Adding child 'pkinit_win2k_require_binding' to 'libdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'pkinit_identities' to 'PKCS11:/opt/likewise/lib64/libpkcs11.so'

20140202131201:VERBOSE:Adding child 'pkinit_identities' to 'libdefaults'

20140202131201:INFO:Creating krb5 stanza 'domain_realm'

20140202131201:VERBOSE:Adding child 'domain_realm' to '(null)'

20140202131201:VERBOSE:Adding child 'auth_to_local' to 'VCLOUD.LOCAL'

20140202131201:VERBOSE:Setting krb5 name value '.vcloud.local' to 'VCLOUD.LOCAL'

20140202131201:VERBOSE:Adding child '.vcloud.local' to 'domain_realm'

20140202131201:VERBOSE:Adding child 'auth_to_local' to 'VCLOUD.LOCAL'

20140202131201:VERBOSE:Adding child 'VCLOUD.LOCAL' to 'realms'

20140202131201:INFO:Creating krb5 stanza 'appdefaults'

20140202131201:VERBOSE:Adding child 'appdefaults' to '(null)'

20140202131201:VERBOSE:Adding child 'pam' to 'appdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'mappings' to 'VCLOUD\\(.*) $1@VCLOUD.LOCAL'

20140202131201:VERBOSE:Adding child 'mappings' to 'pam'

20140202131201:VERBOSE:Setting krb5 name value 'forwardable' to 'true'

20140202131201:VERBOSE:Adding child 'forwardable' to 'pam'

20140202131201:VERBOSE:Setting krb5 name value 'validate' to 'true'

20140202131201:VERBOSE:Adding child 'validate' to 'pam'

20140202131201:VERBOSE:Adding child 'httpd' to 'appdefaults'

20140202131201:VERBOSE:Setting krb5 name value 'mappings' to 'VCLOUD\\(.*) $1@VCLOUD.LOCAL'

20140202131201:VERBOSE:Adding child 'mappings' to 'httpd'

20140202131201:VERBOSE:Setting krb5 name value 'reverse_mappings' to '(.*)@VCLOUD\.LOCAL VCLOUD\$1'

20140202131201:VERBOSE:Adding child 'reverse_mappings' to 'httpd'

20140202131201:INFO:Writing krb5 file /tmp/likewisetmpWbKzd2/etc/krb5.conf

20140202131201:INFO:File /tmp/likewisetmpWbKzd2/etc/krb5.conf modified

20140202131201:INFO:Finishing krb5.conf configuration

20140202131201:ERROR:Lsass Error [ERROR_BAD_FORMAT]

The OU format is invalid.

Stack Trace:

../domainjoin/domainjoin-cli/src/main.c:953

../domainjoin/domainjoin-cli/src/main.c:502

../domainjoin/libdomainjoin/src/djmodule.c:339

../domainjoin/libdomainjoin/src/djauthinfo.c:718

../domainjoin/libdomainjoin/src/djauthinfo.c:1212

GPopov · ‎02-05-2014

Hi, Jonas.

Form your log and screenshot I see the the Identity Server VA is joined in the vcloud.local, but you are trying to join the SSO server to Active Directory with domain upc.local. It is not allowed. If you want to join SSO server to upc.local AD, you have to join the Identity Server VA in the upc.local domain.

XModem · ‎02-05-2014

Hi Gpopov,

The screenshot and OP was mine, the log was from someone completely different called 'neomeruhen'.

The fascinating thing with forums is, that many different people can weigh in on a discussion. Please keep this in mind when replying.

Regards, Jonas

PS.: Specifying the the domain in a DN format, gives a different error (unable to connect to domain - makes sense to me).

All

vCAC Identity Appliance AD join: OU format invalid