Error : Failed to obtain computer SID from LDAP.

Error : Failed to obtain computer SID from LDAP.

book

Article ID: CTX217634

calendar_today

Updated On:

Description

Following error can be seen in /var/log/xdl/vda.log when a Linux VDA tries to start

 

2016-07-01 17:45:54.368 [INFO ] - Java version "1.7.0_79". OpenJDK Runtime Environment. OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)
2016-07-01 17:45:54.369 [INFO ] - The Citrix Desktop Service specification version is '7.5' and implementation version is '1.3.0.312'.
2016-07-01 17:45:54.378 [INFO ] - The Citrix Desktop Service is starting.
2016-07-01 17:45:57.933 [INFO ] - The Citrix Desktop Service successfully initialized communication services required for interaction between this machine and delivery controllers.
2016-07-01 17:45:58.152 [ERROR] - LDAPSearch.GetKerberosAgentClientSubject: Unable to obtain LDAP Login Context for 'agent.client'. Error: Message stream modified (41).
2016-07-01 17:45:58.153 [ERROR] - InformationManager.GetLDAPComputerSID: Failed to query LDAP server 'windows-jmumjdv.lurlab.com:389' for computer SID. Error: LDAP Search error: LDAPSearch.GetKerberosAgentClientSubject: Unable to obtain LDAP Login Context.
2016-07-01 17:45:58.153 [WARN ] - InformationManager.GetComputerSID: Failed to obtain computer SID from LDAP.
2016-07-01 17:45:58.153 [ERROR] - InformationManager.GetComputerSID: Failed to determine Computer SID for FQDN: linuxvda.lurlab.com.
2016-07-01 17:45:58.153 [ERROR] - The Citrix Desktop Service failed to obtain the Security Identifier (SID) for this computer. This SID is necessary to complete registration with the delivery controller. The Citrix Desktop Service will periodically attempt to obtain the SID, and if successful will resume registration with the delivery controller.
Possible reasons the SID could not be obtained are:
- Incorrect configuration of the DNS SRV record(s) for the LDAP server(s) responsible for the domain in which this computer resides.
- One or more of the specified LDAP servers cannot be contacted.
- If manually overridden via the Registry, incorrect LDAP server information within the Registry.

Resolution

This is mostly to do with /etc/krb5.conf not properly set. .  The values should be in CAPS letter

Sample one from internal Lab.

Changed from

 

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LURLAB.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_ccache_name = FILE:/tmp/krb5cc_%{uid}
[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
 }

 lurlab.com = {
  kdc = windows-jmumjdv.lurlab.com
 }

 LURLAB.COM = {
  kdc = windows-jmumjdv.lurlab.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 lurlab.com = lurlab.com
 .lurlab.com = lurlab.com

to
  
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LURLAB.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_ccache_name = FILE:/tmp/krb5cc_%{uid}
[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
 }


 LURLAB.COM = {
  kdc = windows-jmumjdv.lurlab.com
  default_domain = LURLAB.COM
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 lurlab.com = LURLAB.COM
 .lurlab.com = LURLAB.COM

 

Problem Cause

Configuration issues with the Kerberos

Powered by Wolken Software