7018808: Kerberos authentication fails against SLED 11.4 or 11.3 satellite

This document (7018808) is provided subject to the disclaimer at the end of this document.

Environment

Novell ZENworks Configuration Management 2017

Situation

With Kerberos authentication, SLED satellite fails to authenticate users.

ERROR (from ats.log):
[WARN] [04/14/2017 14:48:49.511] [4842] [ATS] [143] [root] [CASAServer] [] [(ClientAddr=192.168.0.8)Krb5Token Constructor()- GSS Exception caught: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – RC4 with HMAC)] [authtoksvc.Krb5Authenticate$Krb5Token] [] [] [CASA]
[WARN] [04/14/2017 14:48:49.512] [4842] [ATS] [143] [root] [CASAServer] [] [(ClientAddr=192.168.0.8)invoke()- Exception: java.lang.Exception: Authentication Failure] [authtoksvc.Krb5Authenticate] [] [] [CASA]

Resolution

Workaround:

  1. On the authentication satellite make a backup of this file:

    /etc/CASA/authtoken/svc/casa-jaas.conf
  2. Edit the above file manually replace this:

    keyTab=”KEYTAB_FILE”

    with this

    keyTab=”/etc/CASA/authtoken/svc/kerberos.keytab”
  3. Restart the ZENworks Agent Service on the satellite:

    /etc/init.d/novell-zenworks-xplatzmd restart

Status

Reported to Engineering

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7018359: The NetIQ DRA Health Check utility reports an error under Accounts Validation for Domain Accounts Overview

This document (7018359) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Directory and Resource Administrator 9.0.x

Situation

When running the NetIQ Directory Resource Administrator (DRA) Health Check Utility (HCU) the ability exists to validate the status of various Active Directory (AD) accounts used by DRA. One of these checks is labeled Domain Accounts Overview. This check will query the DRA configuration for details related to each managed Domain’s access account.

Resolution

In order to verify the results of the HCU, you will need to use the DRA Delegation and Configuration console to view the domain access account details. Each managed domain has the following options:

  • Use the AD account running the NetIQ Services
    • Using this option will trigger the HCU to report a possible issue validating the account, as technically there is no account value stored.
  • Use this account
    • This option requires a manually typed user name and password. These credentials are encrypted and securely stored within the DRA Configuration. This portion of the DRA configuration is stored within the local Active Directory Lightweight Directory Services (ADLDS) located on each DRA server.
  • Use the value set on the Primary DRA Server
    • This option is only exposed on DRA severs running as a Secondary DRA server

Cause

The DRA HCU is attempting to validate the existence of stored credentials for each managed domain. When the HCU fails to locate a value, it will display a warning. This warning can be an indication there is a problem with the domain access credentials; or that there are none being used.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7018626: How does DRA utilize the off line AD accounts cache

This document (7018626) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Directory and Resource Administrator 8.7.x
NetIQ Directory and Resource Administrator 9.x

Situation

The NetIQ Directory Resource Administrator (DRA) product requires regular read and write access into the Active Directory Domains, and any Office 365 tenants managed by each DRA Server. In order to ensure this process occurs in a timely manner each DRA Server will cache a limited number of properties about all AD object types supported by DRA. When an operation performed by a DRA Server requires information about a specific AD or cloud object, that DRA server will look to its local off line cached. If there are AD object attributes not stored within our cache, the DRA Server will issue a call directly to a specific Windows Domain Controller or Online Office 365 portal to obtain these properties. This cache is a one way sync FROM AD or the Office 365 Tenant TO DRA. This cache is kept in sync via regular cache refresh updates. The cache refresh updates will pick up any changes made to an AD or Cloud object since the last cache refresh.

Resolution

In order to view details related to the cache refresh, you will need access to the DRA Delegation and Configuration console. You will need to also have access to the Windows OS hosting DRA Server. You will want to logon to the Windows OS as the AD account used to run the DRA Services; or at least be able to impersonate that account after logon. Each DRA server will have its own cache refresh for each managed domain and managed Office 365 tenant. Each managed can also be configured to cache; but not manage a trusted domain of the managed domain.

To change or view the AD Accounts Cache Refresh Status

  1. Logon to the DRA Delegation and Configuration Console (D&C) as the DRA Service account, or other account with DRA Administration powers
  2. Expand the D&C Console tree to Configuration Management, and then highlight Managed Domains.
  3. From the right click menu on any managed domain, choose the Properties option
  4. From the properties Window you will be able to view and configure the Accounts Cache Refresh

To view or change the Office 365 tenant accounts cache refresh

  1. Logon to the DRA Delegation and Configuration Console (D&C) as the DRA Service account, or other account with DRA Administration powers
  2. Expand the D&C Console tree to Configuration Management, and then highlight Office 365 Tenants.
  3. From the right click menu on any managed Office 365 Tenant open the properties page

Cause

Each DRA server will maintain its own offline copy of AD, known as the Cache. When a request is made of the DRA application which requires a read or write of AD object data, that request will first utilize the offline cache. This cache contains a limited subsect of AD attributes for any object type supported by DRA, within each managed domain; and also Office 365 Tenants. Any attributes and their associated values not stored in the cache will come from live AD directly.
The DRA offline cache is stored in a Mongo Database instance local to each DRA. In the event of a FACR the database records for the domain in question will remain in a locked state until the entire FACR has completed. This lock only affects the domain in which the FACR is occurring.

The DRA offline cache is kept in sync with AD or the Office 365 tenant based on two different methods:

  1. Incremental Accounts Cache Refresh (IACR)
    • Updates the accounts cache with changes made to each managed domain or Office 365 since the previous IACR or FACR
    • Will run every 5 mins for every manged domain 1 hour for each managed Office 365 tenant, by default
  2. Full Accounts Cache Refresh (FACR)
    • Replaces all of the cache details with what is currently stored within AD or the Office 365 cloud
    • Will lock all records specific to the manged domain or tenant being cached. This will temporarily prevent the domain or tenant from being accessed within DRA, until the FACR has completed.

Additional Information

The Windows Application Event log will log an event from Source McsAdminSVC and CacheLoader for each start and stop of the cache refresh. These can be used to track the progress of a cache refresh. The Windows Task Manager will also show a separate instance of DRACacheLoader.exe for each managed domain, or Office 365 Tenant as the cache refresh occurs. The details tab of task manager can be configured to show the CMD line for each running Windows process. Each instance of the DRACacheLoader.exe will have a unique CMD line listed. This CMD line will reflect the current domain or tenant being updated by that instance of the cache loader.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7018807: ZENworks stops connecting to the database and ZCC showing 404 error when accessing login page

This document (7018807) is provided subject to the disclaimer at the end of this document.

Environment

Novell ZENworks Configuration Management 11.4 Database

Microsoft SQL Server database

Nutanix cluster

Situation

  • ZENworks database on Microsoft SQL Server migrated to Nutanixcluster
  • nslookup command from ZENworks Primary Server returns bothactive cluster IP address and inactive, failover cluster IPaddress
  • ZENworks Control Center (ZCC) showing 404 error or cannotconnect to server
  • ZENworks services-message.log,loader-messages.log, and zcc.log files stopped writing
  • ping command from the Primary Server to the database serversometimes times out

The following could be seen on the ZCC login page:

ERROR:

404 Error

The page requested could not be found.

Refer ZCC.log for error messages or additional information.

If the error persists, contact Novell TechnicalSupport.

The following could be seen in the c3p0_zenserver.log:

ERROR:

DEBUG [null] An exception occurred whileacquiring a poolable resource. Will retry.

java.sql.SQLException: Network error IOException: Connection timedout: connect

atnet.sourceforge.jtds.jdbc.JtdsConnection.<init>(JtdsConnection.java:436)

atnet.sourceforge.jtds.jdbc.Driver.connect(Driver.java:184)



Caused by: java.net.ConnectException: Connection timed out:connect

atjava.net.TwoStacksPlainSocketImpl.socketConnect(NativeMethod)

Resolution

  1. Configure the database cluster to only use the active clusterIP address
  2. Configure DNS to only return the active cluster IP address
  3. Restart all ZENworks services on all Primary Servers with thiscommand:

    novell-zenworks-configure -cStart

Cause

DNS resolution for the database server Fully Qualified Domain Name(FQDN) or short name returns one active IP address and one inactiveIP address.

Additional Information

ZENworks doesn’t handle the DNS resolution when connecting to thedatabase server. ZENworks makes the call directly to the DNS namethat is configured in zdm.xml. This means that if the networkresolves the DNS name to an inactive IP address, the connection tothe database will simply time out. Also, the connection could worksometimes, but not at other times. It all depends on how the DNS isresolved.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7018739: Unable to create Domain Trust in DSfW

This document (7018739) is provided subject to the disclaimer at the end of this document.

Environment

Open Enterprise Server – OES 11 SP3

Open Enterprise Server – OES 2015

Situation

After the domain trust password expired, the customer tried to reset the domain trust password but each attempt failed. After this failure, the customer removed the domain trust and tried to recreate it by going into MMC -> Domains and Trusts. This failed as well with the following error:

Resolution

Verify that a domain password policy and a default password policy is present inside the domain, specifically in the Password Policies.System.<DomainName> location. The code looks for a password policy to be here and to be assigned to the domain and to the users within the domain. If there isn’t one found in this location, the above mentioned error will occur and the domain trust will fail.

Cause

No password policy found in the default DSfW domain location.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7018804: Can’t mount a Windows share using the mount.cifs vers= option on SLES 11

This document (7018804) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)

SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)

SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)

SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)

Situation

Unable to mount a Windows share using the mount command on SLES11 with thevers=2.0 option.

The Windows server has been configured to onlyallow SMBv2.

If the Windows server is configured to allow SMBv1 the mountcommand works regardless of the presence of the vers= option.

Resolution

Use a version of SLES with a 3.5 or later kernel or configure the Windows server to allowSMBv1.

SLES12 would be an example of a version that has a kernel version that is later than 3.5 which does have the vers= option.

Cause

On SLES 11 (all versions use kernel 3.0.*) the kernel’s cifs client code does not have supportfor the vers= option.

The vers= option was added in the 3.5 kernel.

The kernel’s mount command doesn’t actually error out on its own when this option isused but simply ignores the option and sends SMBv1 headers. When the Windows server is configured to not allow SMBv1 theWindows server will send a TCP RST to the Negotiate ProtocolRequest sent from the SLES server with an SMBv1 header. This TCP RST results in anerror like this being seen at the console:

mount error (112): Host is down

Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7000566: After making change to an ADF field the new setting is not seen at the workstation

This document (7000566) is provided subject to the disclaimer at the end of this document.

Environment

Novell ZENworks 11 Configuration Management Support Pack 1 – ZCM 11SP1

Situation

If an ADF (Administrator-Defined field) is created and included ina CDF (Collection Data Form), then subsequent changes to the ADFfield size or other changes will not be seen on the workstation.

Resolution

After making changes to the ADF, then edit also the correspondingCDF and apply. Then the change will flow down to theworkstation.

Cause

The CDF configuration is saved as xml string. and modification doneat ADF page will not reflect in this setting. To confirm, see inventoryCollectionWizard.xml

file in %ZENWORKS_HOME%cachezmdsettings.

Additional Information

To confirm what setting is actually on the agent, check the file:%ZENWORKS_HOME%cachesettingsinventoryCollectionWizard.xml. It will not change until the ADF is updated.

Also run query on database : select * from zsystemsetting where name = ‘inventoryCollectionWizard’
confirm that the data is proper. If there is more than one there are likely separate assignments on device folders, device etc. Confirm each of those has been updated.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7018482: Agent Manager connector Certificate Expired

This document (7018482) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Sentinel 7.X

Situation

Running a vulnerability scan on a Sentinel server can generate an “SSL Certificate Expired” message.

Resolution

To create a new certificate use the following steps


1. Launch the Sentinel Control Center
2. Open the Event Source Management (Live View)
3. Right-click the Agent Manager Connector
4. Select Edit
5. Select the Security tab
6. Under Server Key Pair Settings, click Custom
7. Click OK
8. Repeat steps 3-6 but instead of selecting Custom, select Internal (default)
9. Click OK
The Agent Manager Connector will automatically restart and generate a new certificate.

Cause

The initial certificate generated with a new installation of Sentinel is valid for only one year.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7017764: NetIQ Audit connector is not working as expected

This document (7017764) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Sentinel 7.4.2x Sentinel Server

Situation

The audit connector is not able to connect to Sentinel.

The following error is appearing in the server0.0.log
Error encountered in sendClient(1): javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
Thu Jun 16 16:42:58 IST 2016|SEVERE|Thread-370|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient
Root cause: Certificates does not conform to algorithm constraints (java.security.cert.CertificateException)
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1909)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
at java.io.DataOutputStream.write(DataOutputStream.java:88)
at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient(DeviceSensorAuditListener.java:949)
at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.handle_LE_CMD_STARTTLS(DeviceSensorAuditListener.java:666)
at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.performHandShake(DeviceSensorAuditListener.java:607)
at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.run(DeviceSensorAuditListener.java:462)
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1055)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:981)
at sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(SSLContextImpl.java:916)
at sun.security.ssl.ServerHandshaker.clientCertificate

Resolution

Preferred solution

On Sentinel update to

Sentinel Audit connector 2011.1r4 build Jan 2017

On eDirectory update to

Edirectory 8.8 SP8 Patch 9 Hotfix 2 or later

OR

Disable the security improvements added to Sentinel



1. On the Sentinel box go to the location of the file where the settings need to be changed: /opt/novell/sentinel/jdk/jre/lib/security/java.security

2. Below lines existed previously:

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

Comment out the above two lines and add the below two new lines:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

3. After the above modifications the settings in the java.security file will look like below:

#jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024



#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768



4. To reflect the changes, the sentinel service needs to be restarted by using rcsentinel restart or /etc/init.d/sentinel restart.















Cause

eDirectory uses MD5 RSA certificate algorithm and that has been depreciated by latest java version 1.8 which is used on Sentinel. Java has deprecated the MD5 RSA certificate algorithm to improve security.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related: