How to solve registration issue caused by error “ Unable to obtain LDAP Login Context for 'agent.client'. Error: Receive timed out.”

How to solve registration issue caused by error “ Unable to obtain LDAP Login Context for 'agent.client'. Error: Receive timed out.”

book

Article ID: CTX234170

calendar_today

Updated On:

Description

Linux VDA needs to register itself to one DDC when starting or restarting ctxvda service. Sometimes, the registration may fail due to timeout error in step of obtaining LDAP login context for ‘agent.client’. This article describes how to solve this kind of issue.
 

Instructions

Error log
We may get the following log information when this issue occurs.
  • The log of ctxvda service(/var/log/xdl/vda.log)
2016-11-16 08:15:25.946 [ERROR] - LDAPSearch.GetKerberosAgentClientSubject: Unable to obtain LDAP Login Context for 'agent.client'. Error: Receive timed out.
2016-11-16 08:15:25.946 [ERROR] - LDAPSearch.GetKerberosAgentClientSubject: Unable to obtain LDAP Login Context for 'agent.client'. Error: Receive timed out.
2016-11-16 08:15:25.947 [ERROR] - InformationManager.GetLDAPComputerSID: Failed to query LDAP server 'jiz-dc.test.local:389' for computer SID. Error: LDAP Search error: LDAPSearch.GetKerberosAgentClientSubject: Unable to obtain LDAP Login Context.
2016-11-16 08:15:25.947 [WARN ] - InformationManager.GetComputerSID: Failed to obtain computer SID from LDAP.
2016-11-16 08:15:25.948 [ERROR] - InformationManager.GetComputerSID: Failed to determine Computer SID for FQDN: centos72.test.local.

Note:  The trace log of ctxvda service should be enabled beforehand. Refer to CTX220130 to enable tracing log for Linux VDA.
 
  • Windows Event log on Domain Controller
While processing an AS request for target service krbtgt, the account jzhang did not have a suitable key for generating a Kerberos ticket (ID of the missing key is 1). The requested etypes : 18  17. The accounts available etypes : 23  -133  -128. Changing or resetting the password of jzhang will generate a proper key.
  • Message on Linux VDA
On Linux VDA, when you capture messages exchanged between Linux VDA and Domain controller using tcpdump or tshark, and analyze the package using Wireshark, an error massage named KRB5KDC_ERR_PREAUTH_REQUIRED can be seen.
User-added image
 
 
Root Cause Analysis
During registration, ctxvda service needs to send krb-tgs-req message to domain controller (KDC), and wait for krb-tgs-rep as a reply message for Kerberos Authentication. A field named etype in krb-tgs-req message is to record what encryption types are supported on Linux VDA. The supported encryption types are also defined on domain controller side. If there is no encryption type in krb-tgs-req message to match with one encryption type on domain controller, an error named KRB5KDC_ERR_PREAUTH_REQUIRED will be reported in krb-tgs-rep messages. Meanwhile, an event log as mentioned on section “Windows Event log on Domain Controller” will be logged on Domain Controller.

In order to solve this kind of problem, we need to change the supported encryption type either on Linux VDA or on Domain Controller to make them have at least one encryption type in common. The solution below is to change the supported encryption type on Linux VDA only.

Solution
Define the default encryption type of session key in section [libdefaults] in /etc/krb5.conf file. 
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

 

Powered by Wolken Software