Visit Open-E website
Results 1 to 10 of 10

Thread: Auth_mgr:Cannot renew kerberos ticket

  1. #1

    Default Auth_mgr:Cannot renew kerberos ticket

    Unable to get my NAS to register with AD. I have tried every option in the authentication method and all fail. Main error is Database is empty or connection error.
    When I try workgroup I get the error: With settings that you've already applied to authentication, system can't connect to the destination server. Probably there is a problem with this server availability or you entered wrong password. Make sure that destination server are running and have configured services that you want to use, then try to connect again.
    The time on the server is correct and matches the domain controller time. Any suggestions you may have are greatly appreciated.

  2. #2

    Default

    Was it working before? Was there any changes made to the network? Any other errors showing in the Event Viewer?
    Can you with another Domain Admin account? Can you restore from your past configuration that you saved from the GUI located in Maint. Misc then select a last known good date to restore the settings.cnf file that you saved in the past so that you can restore the configuration with your ADS settings and reboot.
    All the best,

    Todd Maxwell


    Follow the red "E"
    Facebook | Twitter | YouTube

  3. #3

    Default

    Quote Originally Posted by To-M View Post
    Was it working before? Was there any changes made to the network? Any other errors showing in the Event Viewer?
    Can you with another Domain Admin account? Can you restore from your past configuration that you saved from the GUI located in Maint. Misc then select a last known good date to restore the settings.cnf file that you saved in the past so that you can restore the configuration with your ADS settings and reboot.
    I switched this server over from an iSCSI server to a NAS so it never has been a domain member before. No changes in the network and I don't see anything in the event viewer regarding this issue. I tried my domain admin account and it failed with the same error as the domain administrator account. Restoring is not an option since this server was never a domain machine since it was an iSCSI VMware datastore before this. I really do appreciate the suggestions. Thank you.

  4. #4

    Default

    Are you on the latest build up70? Make sure in the DNS settings to point the ADS IP in the DSS V7. IF timing is ok not over 5 min then ok. Are you in the same network, you most likely are but checking.
    See if you can ping by name on both directions.
    All the best,

    Todd Maxwell


    Follow the red "E"
    Facebook | Twitter | YouTube

  5. #5

    Default

    Yes sir, I am on version 7.0 update 70. The DNS and NTP settings on the NAS are pointed to our domain controller and the time looks to be identical between the two. Both the NAS and DC are on the same network/subnet and I can ping both directions using the FQDN. Question: I have tried all authentication methods and options with no luck. Our current domain function level is 2012 and I assume I should be using Windows ADS with IDMAP backend RID. Is this correct? Thank you!

  6. #6

    Default

    Yes use RID!!! So now test with PDC option, what your doing here is just to see if you can import the Users and Groups with entering the IP of the ADS server and the Admin and Password. IF that does not work something else is blocking it (Firewall, some type of virus protection bla bla bla.... but--->) can you directly connect the DSS V7 to the ADS on another empty NIC port? Using PDC can help trouble shot closer to the issue but not all the times.
    All the best,

    Todd Maxwell


    Follow the red "E"
    Facebook | Twitter | YouTube

  7. #7

    Default

    Unable to get PDC to work either. Temporarily disabled the firewall on the DC and still receive the error: "Database is empty or connection error!". When I reset and go back to Workgroup (internal LDAP) I get NO errors until I try PDC or ADS again. I can see a successful security audit in the event viewer on the DC with the name of the NAS and domain administrator account information. Other than those entries there is nothing obvious in the event viewer whether informational, warning, or error. Went through the best practice analyzer on the domain controller and everything looks to be registered and functioning properly. I have no issues with my other DSS v7 NAS which is running update 66 and it is able to see all the domain users and authenticate properly with AD. The problem NAS was updated to 7.0 update 70 this morning in hopes it would fix this issue.

  8. #8

    Default

    With PDC not working possibly the boot media but not sure without looking into the logs from support that you can submit. If the DSS version up66 works then I would use that as the up70 does not have that much of updates other then drivers. Now I had a case where the end user reboot the Windows server and this somehow allowed the ADS to authenticate. I know that is hard to do due to production times but just a thought.
    All the best,

    Todd Maxwell


    Follow the red "E"
    Facebook | Twitter | YouTube

  9. #9

    Default

    Unfortunately we don't have paid support on this server right now. We do have three domain controllers though and I have tried using all three to get this NAS on the domain. I downloaded the logs and was looking at the domain-ap.log file and noticed this.

    --- joining domain (NT)-----------
    Failed to join domain: Invalid configuration ("realm" set to '', should be 'xxxxxxxxxxx.net') and configuration modification was not requested
    net rpc join -S DC01 -U administrator%****

    I replaced my domain name with x's but it was correct in the log. Curious why the "set to" is blank and why the "should be" configuration modification was not requested.

  10. #10

    Default

    So its the same Realm name you use on up66? Is so then download the up66 build or roll back to 66 from the GUI and reboot. Like I said we had a case where the ADS had to be rebooted for it to work not sure if that will work for you as well but just a thought.
    All the best,

    Todd Maxwell


    Follow the red "E"
    Facebook | Twitter | YouTube

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •