All,

This is just an annoyance that occurs periodically and we can't figure out why.  We know how to remediate once seen.

Every now and then, on a new build the sssd join/configure will fail.  For example, a server provisioner today built 10 boxes and 2 failed.  Upon closer inspection, we see that AD domain has machine accounts with funky names.

For example, these three VMs were built.  ausflinfsfdcap01 - 03.  01 and 02 built fine, sssd installed, adcli join succeeded, life was good.  We find the usual machine accounts in the usual OU.
CN=ausflinfsfdcap01, CN=ausflinfsfdcap02

On 03, the adcli join failed.  In AD, we find the following funky machine accounts (in the usual OU):

CN=AUSFLINFSFDCAP0\0ACNF:5020ab3d-243a-4ef1-827b-d421c0dcf3d0
CN=AUSFLINFSFDCAP0

This first machine account name is fairly typical when this failure occurs.  This second I've never seen this particular type of funky name server.  I.e., a truncated hostname.

When I try adcli join again right now, it will fail (because of these funky named machine accounts).

I delete these funky machine accounts via ldapdelete.  Example:

ldapdelete -H ldap://ausdcamer.example.com 'CN=AUSFLINFSFDCAP0\0ACNF:5020ab3d-243a-4ef1-827b-d421c0dcf3d0,OU=Servers,OU=UNIX,DC=example,DC=com'

then I delete /etc/krb5.keytab file (if it exists) and re-run the adcli join -- which then succeeds.

So like I say -- we know how to work around this failure mode.  It's just a nuisance at this point.  Usually occurs << 10% of builds.  

But does anyone know why these funky-named machine accounts arise?  And how to avoid this?

Spike