
[Lesson Learned] Membongkar Pesan Error saat Join Domain Clearpass dan Active Directory
Setelah lama tidak ngeblog lagi karena kesibukan yang luar biasa, sekarang saya ingin share tentang pesan error saat join domain Clearpass dan Active Directory.
Berikut ini adalah beberapa kemungkinan error saat join domain ClearPass dengan Active Directory.
-
Clock greater:
Error Message:
1 2 3 4 5 6 7 8 9 10 |
Adding host to AD domain... INFO - Fetched REALM 'CLEARPASS.ARUBA.COM' from domain FQDN 'clearpass.aruba.com' INFO - Fetched the NETBIOS name 'CLEARPASS' INFO - Creating domain directories for 'CLEARPASS' INFO - Using Administrator as the CLEARPASS's username Enter Administrator's password: [2014/04/01 18:46:17, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure. Minor code may provide more information : Clock skew too great Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor code may provide more information : Clock skew too great |
Solusi:
Selisih maksimum yang dibolehkan antara system time ClearPass Server dan Active Directory hanya 5 menit. Verifikasi apakah ClearPass Server dan AD system time tidak terpaut lebih dari 5 menit. Lebih baik jika kedua perangkat tersebut disinkronkan dengan NTP server.
-
Account yang Digunakan Tidak Memiliki Privilege yang Mencukupi untuk Memodifikasi AD (Privilege Issue):
Error Message:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
Adding host to AD domain… INFO – Fetched REALM ‘CLEARPASS.ARUBA.COM’ from domain FQDN ‘ad1.clearpass.aruba.com’ INFO – Fetched the NETBIOS name ‘CLEARPASS’ INFO – Creating domain directories for ‘CLEARPASS’ Enter test’s password: Failed to join domain: Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED) INFO – Restoring smb configuration INFO – Restoring krb5 configuration file INFO – Deleting domain directories for ‘CLEARPASS’ ERROR –Clearpass.aruba.com failed to join the domain CLEARPASS.ARUBA.COM with domain controller as ad1.clearpass.aruba.com Join domain failed |
Solusi:
Username yang digunakan untuk proses join domain active directory haruslah member dari domain group dan memiliki privilege yang memadai untuk memodifikasi binding antara AD ke Clearpass. Saat ClearPass server join ke domain, entri dari host akan ditambahkan dalam database active directory.
-
Kesalahan dalam Memasukkan FQDN:
Error Message:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
Adding host to AD domain... INFO - Fetched REALM 'PACKETNOTES.COM' from domain FQDN 'packetnotes.com' INFO - Fetched the NETBIOS name 'PACKETNOTES' INFO - Creating domain directories for 'PACKETNOTES' Enter pnotes's password: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure. Minor code may provide more information : Server not found in Kerberos database Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor code may provide more information : Server not found in Kerberos database INFO - Restoring smb configuration INFO - Restoring krb5 configuration file INFO - Deleting domain directories for 'PACKETNOTES' ERROR - pnotesjkt-cppm failed to join the domain PACKETNOTES.COM with domain controller as packetnotes.com Join domain failed |
Terjadi karena menggunakan hanya nama domain dan bukan full FQDN di domain controller. Pastikan ClearPass FQDN dapat diakses (resolvable) dari Domain Controller. Untuk memastikannya, via ClearPass CLI gunakan command network nslookup <domain controller>, yang hasilnya adalah IP address dari domain controller. Jika tidak, perlu ditambahkan entry di DNS Server.
-
Constraint violation
12345678910111213Adding host to AD domain...INFO - Fetched REALM 'PACKETNOTES.COM' from domain FQDN'pnotesjkt-ad01.packetnotes.com'INFO - Fetched the NETBIOS name 'PACKETNOTES'INFO - Creating domain directories for 'PACKETNOTES'Enter pnotes's password:Failed to join domain: failed to set machine spn: Constraint violationINFO - Restoring smb configurationINFO - Restoring krb5 configuration fileINFO - Deleting domain directories for 'PACKETNOTES'ERROR - pnotesjkt-cppm failed to join the domain PACKETNOTES.COM withdomain controller as pnotesjkt-ad01.packetnotes.comJoin domain failedSolusi:
Biasanya masalah privilege issue, bind user tidak memiliki hak akses untuk menambahkan dan memodifikasi computer account di dalam database Active Directory, atau masalah DNS.
djay
May 26, 2019 - 3:22 pm
Good job bro.. thanks.