Security

Offlate we are having issues with users authenitcating agains Windows AD through clearpass. Clearpass logs reads error 9002, Reading winbind reply failed and there were few logs with NT_STATUS_IO_TIMEOUT.

Once we delete and add the clearpass back to domain, things starts to work. While adding back to domain i have to manually point it to a specific domain controller as adding just with domain returned the following error.

'XX.LOCAL.COM'
INFO - Fetched the NETBIOS name 'XX.LOCAL.COM'
INFO - Creating domain directories for 'LOCAL.COM'
Enter clearpassuser's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'LOCAL'
ERROR - lxmaclearpass01 failed to join the domain
XX.LOCAL.COM with domain controller as xx.local.com
Join domain failed

This was happening for the second time in the week. We made two changes, 1. hostname which was changed 25 days ago and 2. Installed and later removed the installed server certficate which we changed ~3 days before this issue first occured.

Any suggestions would be greatly appreciated.

Thanks,

Sundar

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Common-Clearpass-domain-Joining-errors/ta-p/192591

Looks like a FDQN issue

Hi,

I was able to resolve the clearpass server's FQDN fine.

The whole stuff were working fine for years until last week, even when this failure started as part of troubleshooting  we were able to query users against AD from the clearpass server.

Now the whole thing is working, but i am not sure if it will continue work as i don't know the root cause yet.

Thanks,

While troubleshooting we noticed that the DNS queries were answered by the secondary DNS server, a ping test showed the primary wasn't reachable.

Once we made the now secondary DNS to the primary in clearpass configuration the issue didn't re-occur again.

 When it breaks, the only way we could make it work is to leave it from the domain and add it back, the domain join process took ~10-15 mins vs usual 1-2 mins, but we still overlooked the DNS part as we were able to query names. This fix was temporary and the authentcation stops after few days, and we were repeating the same leave/re-join domain.

I am not sure, why the whole authentcation was breaking often even with a functional secondary DNS server.