Has anyone figured out how to make sssd utilize a Microsoft read-only
Domain Controller (RODC)?
The host we want to join to AD is already behind the RODC. So, we are
trying to "join" the host to the RODC by pre-creating a computer
account object in AD (via a RWDC), then exporting a Kerberos keytab
file to install on the client host.
On the client host, in the /etc/krb5.conf file, we have overridden the
"kdc" setting for our domain, pointing it to the RODC. In
/etc/sssd/sssd.conf, we have set "ad_server" for our domain, pointing
it to the RODC. Using the exported keytab file, we can run "kinit -k"
But no matter how we create the computer account object, or how we
export the Kerberos keytab, sssd cannot use the resulting keytab file
to authenticate to the RODC: when sssd sends the AS-REQ, the RODC
always replies with KRB5KDC_ERR_PREAUTH_FAILED.
I'm beginning to suspect that sssd just doesn't work with RODCs: if
"kinit -k" can successfully authenticate and acquire a service
principal using the keytab file we exported to the client from the
RWDC, then why can't sssd successfully use it?
Can anyone confirm that you have sssd successfully speaking to a
If so, did you join the client host to a RWDC and then move it behind
the RODC? Or did you pre-create the machine account on the RWDC and
export the Kerberos keytab to the client? If the latter, do you have
the exact net/admod/ktpass commands you used to pre-create the
computer account and export the keytab in a way that is compatible
Thanks in advance for any pointers or advice!