Hi Sebastian,
Please check if SELinux context of /etc/krb5.keytab file is correct. I have seen this issue a couple of times when SELinux prevented adcli from writing to this file when it was invoked from SSSD. Thus, the password adcli changed the password in AD, but was unable to write it to /etc/krb5.keytab. You have the last password change timestamp in AD - this timestamp can help with investigation. You can examine the system logs for this date for any errors. In my case, there were SELinux denied events for /etc/krb5.keytab in the audit log.
Kind regards, Grigory Trenin
ср, 19 янв. 2022 г. в 13:39, Sebastian Grebe sebastian.grebe@wago.com:
Hello,
we are getting report from users where they suddenly can‘t authenticate to their Linux computers anymore. These computers are joint to ore MS Domain using adcli und sssd. Checking the log reveals that the kerberos tickets stored in /etc/krb5.keytab do not have the expected KVON. At the moment we can’t tell what’s causing the issue. It happens only sporadically. I’m under the impression only computer without permanent network connection (Laptops) are affected.
The log shows:
Jan 11 09:30:52 lc015564 systemd[1]: Starting System Security Services Daemon... Jan 11 09:30:52 lc015564 sssd[1376]: Starting up Jan 11 09:30:52 lc015564 sssd_be[1609]: Starting up Jan 11 09:30:52 lc015564 sssd_ifp[1633]: Starting up Jan 11 09:30:52 lc015564 systemd[1]: Started System Security Services Daemon. Jan 11 09:30:55 lc015564 sssd_be[1609]: Backend is offline Jan 11 09:49:32 lc015564 sssd_be[1609]: Backend is online Jan 11 09:49:41 lc015564 krb5_child[6111]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab Jan 11 09:49:41 lc015564 krb5_child[6111]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab Jan 11 09:49:49 lc015564 adcli[6102]: GSSAPI client step 1 Jan 11 09:49:49 lc015564 adcli[6102]: GSSAPI client step 1 Jan 11 09:49:50 lc015564 adcli[6102]: GSSAPI client step 1 Jan 11 10:00:57 lc015564 krb5_child[6838]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab Jan 11 10:00:57 lc015564 krb5_child[6838]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab
And klist -k shows:
Keytab name: FILE:/etc/krb5.keytab KVNO Principal
10 LC015564$@WAGO.LOCAL 10 LC015564$@WAGO.LOCAL 10 LC015564$@WAGO.LOCAL 10 host/LC015564@WAGO.LOCAL 10 host/LC015564@WAGO.LOCAL 10 host/LC015564@WAGO.LOCAL 10 host/lc015564.wago.local@WAGO.LOCAL 10 host/lc015564.wago.local@WAGO.LOCAL 10 host/lc015564.wago.local@WAGO.LOCAL 10 RestrictedKrbHost/LC015564@WAGO.LOCAL 10 RestrictedKrbHost/LC015564@WAGO.LOCAL 10 RestrictedKrbHost/LC015564@WAGO.LOCAL 10 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL 10 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL 10 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL 9 LC015564$@WAGO.LOCAL 9 LC015564$@WAGO.LOCAL 9 LC015564$@WAGO.LOCAL 9 host/LC015564@WAGO.LOCAL 9 host/LC015564@WAGO.LOCAL 9 host/LC015564@WAGO.LOCAL 9 host/lc015564.wago.local@WAGO.LOCAL 9 host/lc015564.wago.local@WAGO.LOCAL 9 host/lc015564.wago.local@WAGO.LOCAL 9 RestrictedKrbHost/LC015564@WAGO.LOCAL 9 RestrictedKrbHost/LC015564@WAGO.LOCAL 9 RestrictedKrbHost/LC015564@WAGO.LOCAL 9 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL 9 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL 9 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
This is a our sssd.conf (it's from o different computer):
[sssd] domains = wago.local config_file_version = 2 services = ifp
[domain/wago.local] default_shell = /bin/bash fallback_homedir = /home/%d/%u cache_credentials = true krb5_store_password_if_offline = true krb5_realm = WAGO.LOCAL krb5_ccname_template = /tmp/krb5cc_%U realmd_tags = manages-system joined-with-adcli id_provider = ad access_provider = ad ad_domain = wago.local ad_enabled_domains = wago.local ad_hostname = lc017547.wago.local use_fully_qualified_names = false ldap_id_mapping = true ldap_user_gecos = displayName ldap_use_tokengroups = false ldap_search_base = dc=wago,dc=local?subtree? ldap_user_search_base = ou=User,ou=Minden,ou=Germany,dc=wago,dc=local?subtree??ou=User,ou=Administration,dc=wago,dc=local?onelevel?(&(objectClass=user)(cn=a2*))?ou=Service,dc=wago,dc=local?subtree? ldap_group_search_base = cn=Users,dc=wago,dc=local?onelevel?(&(objectClass=group)(cn=Domain Users))?ou=Groups,ou=Minden,ou=Germany,dc=wago,dc=local?onelevel?(&(objectClass=group)(cn=&01-PC-Support)) ldap_netgroup_search_base = cn=Users,dc=wago,dc=local?onelevel? ignore_group_members = true enumerate = false dyndns_update = true dyndns_refresh_interval = 7200 dyndns_update_ptr = true dyndns_server = 10.1.100.2 case_sensitive = Preserving
[nss] filter_users = root filter_groups = root
[pam] offline_credentials_expiration = 0 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
And the krb5.conf:
[libdefaults] ticket_lifetime = 240:00:00 renew_lifetime = 240:00:00 clock_skew = 300 renewable = true default_ccache_name = FILE:/tmp/krb5cc_%{uid} default_realm = WAGO.LOCAL kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true udp_preference_limit = 1 noaddresses = true fcc-mit-ticketflags = true [realms] WAGO.LOCAL = { admin_server = 10.1.101.200 admin_server = 10.1.100.1 admin_server = 10.1.100.253 admin_server = 10.1.100.2 } [domain_realm] .wago.local = WAGO.LOCAL wago.local = WAGO.LOCAL [login] krb4_convert = true krb4_get_tickets = false
To solve the issue we delete the computer from the domain, delete the krb5.keytab and rejoin them. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure