Hi -
We've been setting up Ubuntu 18.04/20.04 systems which use sssd for
authentication as part of a Windows AD domain.
Because users ssh to these machines I've been assigning them easy to
remember hostnames (e.g. genbank.biosci) and then using the ad_hostname
field in /etc/sssd/sssd.conf for the AD hostname; e.g.
ad_hostname =
cns-cryo-genb1.austin.utexas.edu
(The flat AD address space necessitates a not-user-friendly hostnaming
convention.)
The problem with this is the systems' kerberos tickets regularly go out
of date and then I have run mskutil by hand to get a new krb ticket.
We have a cron job which is supposed to take care of this automatically:
00 12 * * 1,4 root kinit -R -k cns-cryo-genb1$ | logger -t krbtgt
But this appears not to work all of the time. In particular, this error
gets logged:
kinit: Preauthentication failed while getting initial credentials
One of my colleagues thinks he's tracked this down to kinit uses adcli
for this, but adcli doesn't know about the ad_hostname entry in
sssd.conf and instead is looking up and using the system's /etc/hostname.
So, I'm wondering if there is a better solution we're overlooking. Worst
case, we can just make the linux hostname match the AD hostname and then
use a DNS CNAME for the user's convenience, but I'm just woondering if
we're going about this all wrong.