As a follow on to that, to keep themselves clear of debris, configuration management tools
use the passwordlastset attribute with a value that's greater than XX days to cull
objects as well. We had similar issues when we first implemented SSSD several years ago
too. We ultimately decided to deploy a cron job with the install that ran periodically
(less than the renewal period) to keep the keytab fresh (kinit -R -k $($hostname -s)). We
haven't had computers falling off the domain since we implemented that.
Isn’t the issue that the keytab expires and is not renewed in time, then the computer
can't change its password because the domain can't verify the keytab? Also,
aren't machine passwords different from Kerberos keytabs? Related, because a machine
can't change it's password if it can't prove who it is via Kerberos and the
keytab. I just want to make sure those aren't being conflated. Similarly, a computer
can't update it's DNS record in the domain with out Kerberos, so similarly, if the
keytab is not kept fresh, little domain object maintenance can happen, because Kerberos is
stale.
Computer account password changes are always initiated by clients, not the domain, even on
windows.
Todd
-----Original Message-----
From: James Ralston <ralston(a)pobox.com>
Sent: Thursday, August 26, 2021 10:31 PM
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: [SSSD-users]Re: Trouble-shooting sssd’s ‘Automatic Kerberos Host Keytab Renewal’
with AD back-end….
On Thu, Aug 26, 2021 at 8:11 PM Christian, Mark <mark.christian(a)intel.com> wrote:
[W]hy bother with updating the machine account password?
For sites that have a lot of machine churn, where machine accounts aren't reliably
purged from AD when the underlying host is decommissioned, disabling and/or purging
machine accounts with old passwords is essentially a garbage collection activity, to
prevent stale machine accounts from continuing to exist in AD in perpetuity.
Also, some sites must conform with security guidelines that *require* frequent changes of
machine account passwords:
https://www.stigviewer.com/stig/microsoft_windows_server_2016/2021-03-05/...
Granted, that STIG rule applies to Windows machine accounts, not Linux machine accounts,
but disabling any machine account in AD whose password is older than 30 days is one way to
detect any Windows clients that are nonconforming with the STIG. And in many cases
it's easier to apply that rule globally than on a per-OU basis (to exempt non-Windows
machine accounts).
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> This message is from an external sender. Learn more about why
this <<
> matters at
https://links.utexas.edu/rtyclf. <<