On Срд, 22 мая 2024, Rob Crittenden via FreeIPA-users wrote:
Dmitry Krasov via FreeIPA-users wrote:
Hi Florence. As far as I understand, it's all because the keytab file become bad in some time.
- Why it's so?
- I know how to fix file manually, but how can I check it in script "if file become bad"?
What makes you think the keytab is bad?
A simple way to validate a keytab is to compare the version number to the one the KDC has.
$ kinit admin $ kvno host/<client host name>
# klist -kt /etc/krb5.keytab
Compare the version numbers. It's ok for the keytab to have multiple versions but one has to match what the KDC version number is.
It would also help to see SSSD logs that show how nsupdate runs and what fails there. Or why is it not running. SSSD will tell some details in the logs if you enable debug level 9.