Environment : This article is to troubleshoot some common errors faced when joining ClearPass to Active Directory.
Clearpass Version: 6.0.x to 6.3.x.
Time mismatch:
Adding host to AD domain...
INFO - Fetched REALM 'CLEARPASS.ARUBA.COM' from domain FQDN 'clearpass.aruba.com'
INFO - Fetched the NETBIOS name 'CLEARPASS'
INFO - Creating domain directories for 'CLEARPASS'
INFO - Using Administrator as the CLEARPASS's username
Enter Administrator's password:
[2014/04/01 18:46:17, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure.
Minor code may provide more information : Clock skew too great
Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor
code may provide more information : Clock skew too great
Not A domain admin user (i.e. insuffcient privs to add/modify computers in AD):
Adding host to AD domain...
INFO - Fetched REALM 'CLEARPASS.ARUBA.COM' from domain FQDN
'ad1.clearpass.aruba.com'
INFO - Fetched the NETBIOS name 'CLEARPASS'
INFO - Creating domain directories for 'CLEARPASS'
Enter test's password:
Failed to join domain: Failed to set account flags for machine
account (NT_STATUS_ACCESS_DENIED)
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CLEARPASS'
ERROR -Clearpass.aruba.com failed to join the domain
CLEARPASS.ARUBA.COM with domain controller as ad1.clearpass.aruba.com
Join domain failed
Not correct FQDN (i.e. trying to use the domain name only instead of the full FQDN of the domain controller):
Adding host to AD domain...
INFO - Fetched REALM 'CLEARPASS.ARUBA.COM' from domain FQDN
'clearpass.aruba.com'
INFO - Fetched the NETBIOS name 'CLEARPASS'
INFO - Creating domain directories for 'CLEARPASS'
INFO - Using Administrator as the CLEARPASS's username
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CLEARPASS'
ERROR - Clearpass.aruba.com failed to join the domain
CLEARPASS.ARUBA.COM with domain controller as clearpass.aruba.com <<<
Join domain failed
Constraint violation
Adding host to AD domain...
INFO - Fetched REALM 'Aruba-Test.com' from domain FQDN 'ad.Aruba-Test.com'
INFO - Fetched the NETBIOS name 'My-Service'
INFO - Creating domain directories for 'My-Service'
Enter MY-USER's password:
Failed to join domain: failed to set machine spn: Constraint violation
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'My-Service'
ERROR - MY-CPPM failed to join the domain Aruba-Test.com with domain controller as ad.Aruba-Test.com
Join domain failed
Clock greater
Maximum allowed clock difference can only be 5 minutes. Verify whether Clearpass and AD system time do not exceed more than 5 minutes. Please verify the tjme, time zone and daylight savings settings.
Privilege Issue:
The username provided to join to active directory should be a member of domain admin group. When we join Clearpass to the domain, a host entry will be added under 'Computers' by default.
Invalid domain controller FQDN:
Domain controller name provided when attempting to join Clearpass to domain. This should point to a valid FQDN of the domain controller. To verify this if we perform an nslookup form Clearpass (From CLI using 'network nslookup <domain controller>'), this should return the IP address of a domain controller (Note: We should receive the interface IP address of the DC).
Make sure that Clearpass FQDN is resolvable from the DC. If not, we need to add an entry to the DNS server.
Constrain Validation:
This error normally points to the privilege issue (i.e. bind user does not have sufficient privs to add/modify computer accounts in the AD) or the DNS issue.