Security

Reply
Occasional Contributor II
Posts: 13
Registered: ‎04-25-2012

Clearpass - Windows AD - Reading WINBIND reply failed

[ Edited ]

Offlate we are having issues with users authenitcating agains Windows AD through clearpass. Clearpass logs reads error 9002, Reading winbind reply failed and there were few logs with NT_STATUS_IO_TIMEOUT.

 

Once we delete and add the clearpass back to domain, things starts to work. While adding back to domain i have to manually point it to a specific domain controller as adding just with domain returned the following error.

 

'XX.LOCAL.COM'
INFO - Fetched the NETBIOS name 'XX.LOCAL.COM'
INFO - Creating domain directories for 'LOCAL.COM'
Enter clearpassuser's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'LOCAL'
ERROR - lxmaclearpass01 failed to join the domain
XX.LOCAL.COM with domain controller as xx.local.com
Join domain failed

 

This was happening for the second time in the week. We made two changes, 1. hostname which was changed 25 days ago and 2. Installed and later removed the installed server certficate which we changed ~3 days before this issue first occured.

 

Any suggestions would be greatly appreciated.

 

Thanks,

Sundar

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: Clearpass - Windows AD - Reading WINBIND reply failed

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Common-Clearpass-domain-Joining-errors/ta-p/192591

 

Looks like a FDQN issue

 

Not correct FQDN: 
 
Adding host to AD domain...
INFO - Fetched REALM 'CLEARPASS.ARUBA.COM' from domain FQDN
'clearpass.aruba.com'

INFO - Fetched the NETBIOS name 'CLEARPASS'
INFO - Creating domain directories for 'CLEARPASS'
INFO - Using Administrator as the CLEARPASS's username
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CLEARPASS'
ERROR - Clearpass.aruba.com failed to join the domain
CLEARPASS.ARUBA.COM with domain controller as clearpass.aruba.com

Join domain failed
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 13
Registered: ‎04-25-2012

Re: Clearpass - Windows AD - Reading WINBIND reply failed

Hi,

 

I was able to resolve the clearpass server's FQDN fine.

 

The whole stuff were working fine for years until last week, even when this failure started as part of troubleshooting  we were able to query users against AD from the clearpass server.

 

Now the whole thing is working, but i am not sure if it will continue work as i don't know the root cause yet.

 

Thanks,

Occasional Contributor II
Posts: 13
Registered: ‎04-25-2012

Re: Clearpass - Windows AD - Reading WINBIND reply failed

While troubleshooting we noticed that the DNS queries were answered by the secondary DNS server, a ping test showed the primary wasn't reachable.

 

Once we made the now secondary DNS to the primary in clearpass configuration the issue didn't re-occur again.

 

 When it breaks, the only way we could make it work is to leave it from the domain and add it back, the domain join process took ~10-15 mins vs usual 1-2 mins, but we still overlooked the DNS part as we were able to query names. This fix was temporary and the authentcation stops after few days, and we were repeating the same leave/re-join domain.

 

I am not sure, why the whole authentcation was breaking often even with a functional secondary DNS server.

Search Airheads
Showing results for 
Search instead for 
Did you mean: