On Tue, Oct 20, 2015 at 09:19:31AM +0200, Jakub Hrozek wrote:
On Mon, Oct 19, 2015 at 08:18:39PM +0000, Thackeray, Neil L wrote:
> I'm encountering a strange problem on some of my Ubuntu 14.0.4 LTS servers. I
have yet to encounter the same problem on any of the CentOS or RHEL6/7 servers.
> After a few days of working fine, all of the sudden users can't log in. I can
fix the problem easily by using 'realm leave' and 'realm join', but this
isn't optimal since users can go a day or two before it gets fixed. I thought at first
it was clock drift causing a problem with the Kerberos ticket, but this last time I made
sure to check the date before I rejoined the realm.
> Oct 19 10:16:30 myserver [sssd[ldap_child]]: Preauthentication failed
> Oct 19 10:16:31 myserver [sssd[ldap_child]]: Failed to initialize credentials
using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create
GSSAPI-encrypted LDAP connection.
> sssd 1.12.5
Preauthentication failed normally means wrong password, in this case
wrong keytab. I guess you would see the same error if you run kinit -k
"SHORTNAME$" (you can see the shortname in ldap_child.log as well..)
Are you sure your domain policies don't expire machine passwords after
I'm pretty sure there is a domain policy active which forces the clients
to renew their password regularly and
would be the related ticket
for the. Until this is fixed it might help to run msktutil from a
sssd-users mailing list