cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
572
Views
0
Helpful
0
Replies

[ACS AD integration] Can we change account after establishing domain trust?

XIE YAO
Level 1
Level 1

Hi Friends,

I guess this question should be asked before but I can't seems to find.

As title goes, let's say we use account A to join AD, and after that, what will happen if this account A has been:

1. Password expired?

2. Deleted?

 

I recently came across one case where the ACS change AD status from connected to disconnected and I was able to see below kind of log.

 

May  4 09:26:14 CiscoACS adclient[8709]: INFO  <bg:machinepw> daemon.main Scheduled password change

May  4 09:26:14 CiscoACS adclient[8709]: WARN  <bg:machinepw> base.adagent Can't bind using current machine credentials.

May  4 09:26:14 CiscoACS adclient[8709]: ERROR <bg:machinepw> base.adagent Can't use default machine password. Please reset computer account in Active Directory

May  4 09:26:14 CiscoACS adclient[8709]: ERROR <bg:machinepw> base.adagent Can't use default machine password. Please reset computer account in Active Directory

May  4 09:26:14 CiscoACS adclient[8709]: WARN  <bg:machinepw> daemon.main computer password change failed: resetPassword: Preauthentication failed

 

May  4 22:48:54 CiscoACS adclient[8709]: INFO  <bg:krb5.conf> daemon.main Start trusted domain discovery

May  4 22:48:54 CiscoACS adclient[8709]: INFO  <bg:krb5.conf> daemon.main Delay /etc/krb5.conf update, Skipping trusted domains update because the system is in disconnected mode

May  5 23:19:00 CiscoACS adclient[8709]: WARN  <bg:krb5.conf> base.bind.cache LDAP search CN=XX,CN=XX,DC=XX,DC=XX:(&(objectCategory=crossRef)(nETBIOSName=*)) threw unexpected exception: SASL bind to ldap/xx.com@xx.xx.xx - GSSAPI Mechanism with Kerberos error ": Clock skew too great in KDC reply"

 

Above abnormal log seems to start with Scheduled password change, any idea?

 

 

 

0 Replies 0