-
Title
Received INVALID_CREDENTIALS, returning CRED_EXPIRED to re-aquire creds, disconnected mode, user auths failing -
Description
After making encryption default_etypes changes to /etc/opt/quest/vas/vas.conf user authentications are failing. The failure could also be triggered by temporary network errors or password synchronization issues between the domain controllers. The fix prevents the keytab from getting outdated: the password change will now either use a cached fallback value for the KVNO or will fail without modifying the password in the AD.
The following is seen in the logs:
Syslog next parent loop:
vasd[240678]: _ldap_init_and_bind: Received INVALID_CREDENTIALS, returning CRED_EXPIRED to re-aquire creds
vasd[240678]: _attrs_find_continue: Credentials are expired, renewing credentials and retrying
vasd[240678]: _attrs_find_continue: renewing credentials
vasd[240678]: _ldap_init_and_bind: Received INVALID_CREDENTIALS, returning CRED_EXPIRED to re-aquire creds
vasd[240678]: get_password_policy_objects_for_naming_context: vas_attrs_find failed for filter (objectClass=msDS-PasswordSettings) with error VAS_ERR_LDAP: at ldap.c:321 in _ldap_init_and_bind#012 GSS SASL bind failed. LDAP Host:test01dc02.test01.test.oi, Client: UBUNTU24_42$@TEST01.TEST.OI, Service: ldap/seth01dc02.test01.test.oi@TEST01.TEST.OI. Invalid credentials.#012 Caused by:#012 LDAP_INVALID_CREDENTIALS: Invalid credentials
vasd[240678]: _ldap_init_and_bind: Received INVALID_CREDENTIALS, returning CRED_EXPIRED to re-aquire creds
vasd[240678]: _attrs_find_continue: Credentials are expired, renewing credentials and retrying
vasd[240678]: _attrs_find_continue: renewing credentials
vasd[240678]: _ldap_init_and_bind: Received INVALID_CREDENTIALS, returning CRED_EXPIRED to re-aquire creds
vasd[240678]: vasadmin_passwd_get_policy: vas_attrs_find failed on error VAS_ERR_LDAP: at ldap.c:321 in _ldap_init_and_bind#012 GSS SASL bind failed. LDAP Host:test01dc02.test01.test.oi, Client: UBUNTU24_42$@TEST01.TEST.OI, Service: ldap/test01dc02.test01.test.oi@TEST01.TEST.OI. Invalid credentials.#012 Caused by:#012 LDAP_INVALID_CREDENTIALS: Invalid credentials -
Cause
Product defect ID 480851
During host password change, if vasd has failed to determine the KVNO (Key Distribution Number) for the new password set in the AD, it was unable to update the host's keytab, leaving the machine in a state where it is not able to contact the domain (authenticate to kerberos).
-
Resolution
Edit: April 2025
This is still a known issue in version 6.0.2 and listed in release notes known issuesWorkaround: Rejoin the system to the domain.
The vasd daemon needs to be restarted after changing the encryption types that is used in client requests to the KDC (configuration option "libdefaults / default_etypes" in vas.conf). Until that happens, automatic changing of the computer's password may not work, and password policies might not get refreshed correctly.
Restart vasd: systemctl restart vasd
Check vasd status: systemctl status vasd -
Change Request
480851 -
Additional Information
The vasd daemon needs to be restarted after changing the encryption types that are used in client requests to the KDC (configuration option "libdefaults / default_etypes" in vas.conf). Until that happens, automatic changing of the computer's password may not work.