Security

Reply

ClearPass Winbind Reply Failed

Hey all,

 

I am trying to join a new ClearPass server to the domain, but am having strange issue. During join process, I received the following warning:

 

netjoin-failed.png

But it appears to have joined successfully.

 

I then attempted an authentication with a domain-joined windows PC, and it was REJECTED. The Alert tab shows:

 

access-tracker-alert.png

Looking into the logs of this error shows the following:

 

access-tracker-logs.png

 

Not sure what the issue could be, never ran into this same problem when joining to a domain. I verified the clearpass server object existed in AD and it was a member of the default computer OU, which is where another CPPM server also exists and is working without issue.

 

Any ideas would be greatly appreciated.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Highlighted

Re: ClearPass Winbind Reply Failed

What version are you running on that ClearPass

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: ClearPass Winbind Reply Failed

6.7.3


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0

Re: ClearPass Winbind Reply Failed

It appears there is some issue translating the clients domain name and the domain appended to the machine authentications - anyone ever run into that?

 

Customer domain is ABC123, but devices joined to the domain use device1.123abc.com for example.

 

Seems like it can't translate between them.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0

Re: ClearPass Winbind Reply Failed

Opened a TAC case and we worked with the domain admin and found that the smb_<client domain>.conf file was missing a few lines compared to a working server in the environment.

 

The primary line missing is the following:

 

samba-lines-missing.png

After matching up the files, we were able to test a successful domain machine authentication. We also restarted the domain service prior to testing. The other lines missing were under a Logging section, but not sure they played any role in the issue.

 

TAC indicated it may be a bug in the code upgrade to 6.7.3 and collected log files and config backup to try and review.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: