Environment : When trying to join CPPM to the domain, we are getting the following error:
Adding host to AD domain...
INFO - Fetched REALM 'AD.DOMAIN.COM' from domain FQDN 'AD.DOMAIN.COM'
INFO - Fetched the NETBIOS name 'AD'
INFO - Creating domain directories for 'AD'
Enter admin's password:
[2014/01/23 11:38:00, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure.
Minor code may provide more information : Cannot contact any KDC for realm 'AD.DOMAIN.COM'
Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor
code may provide more information : Cannot contact any KDC for realm 'AD.DOMAIN.COM'
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'AD'
ERROR - gtclearpass01 failed to join the domain AD.DOMAIN.COM with
domain controller as AD.DOMAIN.COM
Join domain failed
The AD and the ClearPass servers are on the same L2 network.
The packet capture between the AD and CPPM shows that AD is returning the error - KRB5KRB_ERR_RESPONSE_TOO_BIG
Customer's L2 infrastructure (switch and other networking gears where CPPM and AD are connected) has a lower MTU setting than that of CPPM.
CPPM has an MTU of 1500 and not exposed to alter this value administratively. When the L2 infrastructure has a lesser MTU than that of CPPM (we suspect this could be 1400 or even less), then some of the packets in the domain join process are not transmitted to CPPM or AD. This is resulting in the failure (which is confirmed in our lab).
Involve network administrator to higher the MTU in the customer's L2 infrastructure to 1500 or above.
Understand what is the network MTU setting and alter the CPPM's MTU to a value lesser than this (eg: if the L2 MTU is 1400, set CPPM's MTU to 1300).
You need to change the following configuration file in CPPM to alter its MTU.
Modify as arubasupport user in CLI, to add the MTU value (less than that of L2 MTU. In this case, 1300 has been defined just to )