Cisco ACS / TACACS Active Directory Join/Bind Issues

December 29th, 2014
by larry

After battling with a number of issues successfully joining the ACS appliance to the domain, I wanted to post a list of troubleshooting steps to help anyone else that might run into issues:

– Password for the AD Account – If you are getting errors like account disabled, “invalid credentials to join this machine to active directory domain”, account locked, etc after doing a Test Connection which returns successful, try changing the password. Remove any special characters, and potentially shorten the password. I had an extremely long password with complexity that caused my issues. I am unsure of the max length, but this was the root cause of most of my issues.

You might see something like this in your logs which is an indication of above:

Dec 29 14:06:40 yyyyyyyy adleave[9970]: INFO cli.adleave Leaving domain yyy.com successful
Dec 29 14:06:40 yyyyyyyy adleave[9970]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Dec 29 14:06:41 yyyyyyyy adjoin[10021]: INFO cli.adjoin Version: CentrifyDC 4.3.0-192
Dec 29 14:06:41 yyyyyyyy adjoin[10021]: WARN base.kerberos.keytab getUserSalt failed: get creds: Preauthentication failed
Dec 29 14:06:41 yyyyyyyy adjoin[10021]: INFO cli.adjoin Join to domain ‘yyy.com’, zone ‘null’ failed.
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO cli.adjoin Version: CentrifyDC 4.3.0-192
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO samba.interop Attempting interoperability with untested Samba version .
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO cli.adjoin Wrote /etc/centrifydc//openldap/slapd.conf
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO util.configfiles Wrote /etc/centrifydc//openldap/ldap.conf
Dec 29 14:06:41 yyyyyyyy adinfo[10034]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Dec 29 14:06:41 yyyyyyyy adinfo[10034]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory

– You then might get the following error: “The item you trying to delete is referenced by other items. You must remove all references to this item before it can be deleted.” This is apparently a known bug. some posts say that you basically have to remove everything that refers to Active Directory in ACS. DO NOT do that. Just go to the CLI and issue the following two commands:

acs stop

acs start

Then go back in and set the password. There was a note on one of the posts that you should skip the Test Connection as it could cause the above.

– I read another post that said to right-click on the computer object in Active Directory and chose reset before doign the join. I do not believe that fixed it in my case, but it is good for the “bag of tricks” for troubleshooting this. In effect it should clean the object to prepare it for a domain join.

Tags: , ,
Posted in Uncategorized | Comments (0)

No comments yet

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *