Hey Joschi,

 

I was away on holiday so I wasn’t able to get back to this. msktutil –auto-update doesn’t work because it’s getting the wrong name. It’s trying to use the dns name which when msktutil tries to use it ends up being in the format myserver-domain-foo-com$. This is the output:

Error: The SAM name (myserver-domain-foo-com$) for this host is longer than the maximum of MAX_SAM_ACCOUNT_LEN characters

So I use ‘msktutil --update --computer-name MYSERVER –verbose’, which seems to run if you look below, but doesn’t seem to really update the actual keytab. It does not update the keytab after it is run, all the dates stay the same. The last time I tried running msktutil before the password expired it was a day before expiration, and it didn’t work. I don’t have it in a cron running daily. I’m stuck with a 7 day renewal, since I don’t run the AD.

 

Neil

 

 

 

From: Joschi Brauchle [mailto:joschi.brauchle@tum.de]
Sent: Thursday, December 17, 2015 1:12 PM
To: End-user discussions about the System Security Services Daemon <sssd-users@lists.fedorahosted.org>
Subject: [SSSD-users] Re: Ticket expiring problems still

 

Hi Neil,

 

First of all, sorry for entering the discussion without having read all previous thread messages.  I may duplicate some content. 

 

Your first msktutil output is confusing to me, as is ends in an "Error" message. So I don't understand why you say that it has worked?

 

Does a 

klist -kt /etc/krb5.keytab

show an updated keytab after msktutil --auto-update was run?

 

In our setup, we have a 30 day password expiry setting in the ad controller. A Cronjob runs msktutil --auto-update once a day (it actually updates the keytab only after it expires) and that is sufficient to keep our machines (Ubuntu 14, 15 + opensuse) in the domain without any further action.

 

-Joschi


Am 17.12.2015 um 18:40 schrieb Thackeray, Neil L <neilt@illinois.edu>:

I am having a frustrating time trying to figure out what is going on with these Ubuntu servers. I have tried to use msktutil as some have suggested, but this hasn’t worked for me. Every 7 days on the mark I lose my domain connection and have to run realm leave/realm join again. I ran msktutil the day before the ticket was about to expire, so it should have worked. This is only a problem on Ubuntu, CentOS works perfectly fine. I even have one Ubuntu server that works.

 

I also have the problem that the sssd init script, wherever that is now, sometimes thinks that sssd is still running and won’t start again. I then have to run ‘sssd –D’ if I don’t want to restart the server.

 

This is what I get running msktutil.

msktutil --auto-update --verbose:

-- init_password: Wiping the computer password structure

-- generate_new_password: Generating a new, random password for the computer account

-- generate_new_password:  Characters read from /dev/udandom = 86

-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP)

-- get_dc_host: Found DC: udc05.ad.mydomain.com

-- get_dc_host: Canonicalizing DC through forward/reverse lookup...

-- get_dc_host: Found Domain Controller: udc05.ad.mydomain.com

-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab

-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-TSzpEQ

-- reload: Reloading Kerberos Context

-- get_short_hostname: Determined short hostname: myserver-domain-foo-com

Error: The SAM name (myserver-domain-foo-com$) for this host is longer than the maximum of MAX_SAM_ACCOUNT_LEN characters

You can specify a shorter name using --computer-name

-- ~KRB5Context: Destroying Kerberos Context

 

This appears to have worked, but it didn’t.

msktutil --update --computer-name MYSERVER --verbose:

-- init_password: Wiping the computer password structure

-- generate_new_password: Generating a new, random password for the computer account

-- generate_new_password:  Characters read from /dev/udandom = 82

-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP)

-- get_dc_host: Found DC: udc05.ad.mydomain.com

-- get_dc_host: Canonicalizing DC through forward/reverse lookup...

-- get_dc_host: Found Domain Controller: udc05.ad.mydomain.com

-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab

-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ozv4A6

-- reload: Reloading Kerberos Context

-- finalize_exec: SAM Account Name is: MYSERVER$

-- try_machine_keytab_princ: Trying to authenticate for MYSERVER$ from local keytab...

-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ewj6uW

-- finalize_exec: Authenticated using method 1

 

-- ldap_connect: Connecting to LDAP server: udc05.ad.mydomain.com try_tls=YES

-- ldap_connect: Connecting to LDAP server: udc05.ad.mydomain.com try_tls=NO

SASL/GSSAPI authentication started

SASL username: MYSERVER$@AD.MYDOMAIN.COM

SASL SSF: 56

SASL data security layer installed.

-- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 

 

This is what I think is the pertinent portions of the logs from when the computer cant connect anymore.

sssd_ad.mydomain.com.log:

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on [0]

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed)

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'udc02.ad.mydomain.com' as 'not working'

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'udc02.ad.mydomain.com' as 'not working'

 

syslog:

Nov  4 15:26:09 myserver [sssd[ldap_child[25833]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

Nov  4 15:26:09 myserver [sssd[ldap_child[25833]]]: Preauthentication failed

 

Any help is appreciated.

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org


_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org