Kerberos is a time-sensitive protocol. Your UNIX hosts must be synchronized within five minutes of your Active Directory domain controllers. Run the following command as root to have Safeguard Authentication Services synchronize the local time with Active Directory:
vastool timesync
If Safeguard Authentication Services can no longer authenticate with Active Directory, the following solutions may help you troubleshooting the issue.
| Problem | Solution |
|---|---|
|
The host's computer object has been deleted. |
Recreate the computer object, then restart vasd. |
|
The host keytab is deleted or becomes corrupt. |
Delete then recreate the computer object and restart vasd. |
The most common installation or upgrade failure is that the UNIX host cannot read the Safeguard Authentication Services application configuration in Active Directory. Ensure that you have followed the instructions in the Configure Active Directory for Safeguard Authentication Services section of the Safeguard Authentication Services Installation Guide and that the configuration has been created successfully.
During an upgrade, you may see an error that Safeguard Authentication Services cannot upgrade because the application configuration cannot be located. If you previously joined to a specific domain controller, Safeguard Authentication Services disabled DNS SRV record lookups. This means that Safeguard Authentication Services cannot resolve other domains in the forest and may be unable to locate the application configuration. In this case, you must ensure that the domain controller you specified is a global catalog. Otherwise, you must create the Safeguard Authentication Services application configuration in the domain that you join or you must properly configure DNS to return SRV records and join normally, rather than specifying a domain controller when you join.
For more information, see the About Active Directory Configuration section in the Safeguard Authentication Services Installation Guide.
If you are unable to join the domain, run the preflight utility to validate your environment.
For more information, see The Safeguard Authentication Services Pre-Installation Diagnostic Tool in the Safeguard Authentication Services Installation Guide.
Then, verify the following:
Check that the Active Directory account specified during join has rights to join the computer to the domain.
Check that the UNIX host is able to properly resolve the domain name through DNS.
If you are joining to a specific domain controller you must ensure that Safeguard Authentication Services can locate and read the configuration information in Active Directory. To do so, perform one of the following steps::
Make sure the domain controller you specify is a global catalog.
Create the Safeguard Authentication Services application configuration in the domain to which you are joining.
For more information, see the About Active DirectoryActive Directory Configuration section in the Safeguard Authentication Services Installation Guide.
Properly configure DNS to return srv-records and avoid joining to a specific domain controller.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center
