Hi,
It sounds like a problem occurs when SSSD executes 'adcli update' to
renew the machine account password, if successful the AD DC computer
object password is updated and the new keys are written to the keytab.
If a failure occurs however it may have caused these two things to go
out of sync.
You may need to set a high enough 'debug_level' in your
[domain/$domain] section of sssd.conf then check the adcli output
written into the domain logs when the issue happens.
-Justin
On Wed, Jan 19, 2022 at 5:40 AM Sebastian Grebe
<sebastian.grebe@wago.com> wrote:
>
> Hello,
>
> we are getting report from users where they suddenly can‘t authenticate to their Linux computers anymore. These computers are joint to ore MS Domain using adcli und sssd. Checking the log reveals that the kerberos tickets stored in /etc/krb5.keytab do not have the expected KVON. At the moment we can’t tell what’s causing the issue. It happens only sporadically. I’m under the impression only computer without permanent network connection (Laptops) are affected.
>
> The log shows:
>
> Jan 11 09:30:52 lc015564 systemd[1]: Starting System Security Services Daemon...
> Jan 11 09:30:52 lc015564 sssd[1376]: Starting up
> Jan 11 09:30:52 lc015564 sssd_be[1609]: Starting up
> Jan 11 09:30:52 lc015564 sssd_ifp[1633]: Starting up
> Jan 11 09:30:52 lc015564 systemd[1]: Started System Security Services Daemon.
> Jan 11 09:30:55 lc015564 sssd_be[1609]: Backend is offline
> Jan 11 09:49:32 lc015564 sssd_be[1609]: Backend is online
> Jan 11 09:49:41 lc015564 krb5_child[6111]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab
> Jan 11 09:49:41 lc015564 krb5_child[6111]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab
> Jan 11 09:49:49 lc015564 adcli[6102]: GSSAPI client step 1
> Jan 11 09:49:49 lc015564 adcli[6102]: GSSAPI client step 1
> Jan 11 09:49:50 lc015564 adcli[6102]: GSSAPI client step 1
> Jan 11 10:00:57 lc015564 krb5_child[6838]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab
> Jan 11 10:00:57 lc015564 krb5_child[6838]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab
>
> And klist -k shows:
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 10 LC015564$@WAGO.LOCAL
> 10 LC015564$@WAGO.LOCAL
> 10 LC015564$@WAGO.LOCAL
> 10 host/LC015564@WAGO.LOCAL
> 10 host/LC015564@WAGO.LOCAL
> 10 host/LC015564@WAGO.LOCAL
> 10 host/lc015564.wago.local@WAGO.LOCAL
> 10 host/lc015564.wago.local@WAGO.LOCAL
> 10 host/lc015564.wago.local@WAGO.LOCAL
> 10 RestrictedKrbHost/LC015564@WAGO.LOCAL
> 10 RestrictedKrbHost/LC015564@WAGO.LOCAL
> 10 RestrictedKrbHost/LC015564@WAGO.LOCAL
> 10 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
> 10 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
> 10 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
> 9 LC015564$@WAGO.LOCAL
> 9 LC015564$@WAGO.LOCAL
> 9 LC015564$@WAGO.LOCAL
> 9 host/LC015564@WAGO.LOCAL
> 9 host/LC015564@WAGO.LOCAL
> 9 host/LC015564@WAGO.LOCAL
> 9 host/lc015564.wago.local@WAGO.LOCAL
> 9 host/lc015564.wago.local@WAGO.LOCAL
> 9 host/lc015564.wago.local@WAGO.LOCAL
> 9 RestrictedKrbHost/LC015564@WAGO.LOCAL
> 9 RestrictedKrbHost/LC015564@WAGO.LOCAL
> 9 RestrictedKrbHost/LC015564@WAGO.LOCAL
> 9 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
> 9 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
> 9 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
>
> This is a our sssd.conf (it's from o different computer):
>
> [sssd]
> domains = wago.local
> config_file_version = 2
> services = ifp
>
> [domain/wago.local]
> default_shell = /bin/bash
> fallback_homedir = /home/%d/%u
> cache_credentials = true
> krb5_store_password_if_offline = true
> krb5_realm = WAGO.LOCAL
> krb5_ccname_template = /tmp/krb5cc_%U
> realmd_tags = manages-system joined-with-adcli
> id_provider = ad
> access_provider = ad
> ad_domain = wago.local
> ad_enabled_domains = wago.local
> ad_hostname = lc017547.wago.local
> use_fully_qualified_names = false
> ldap_id_mapping = true
> ldap_user_gecos = displayName
> ldap_use_tokengroups = false
> ldap_search_base = dc=wago,dc=local?subtree?
> ldap_user_search_base = ou=User,ou=Minden,ou=Germany,dc=wago,dc=local?subtree??ou=User,ou=Administration,dc=wago,dc=local?onelevel?(&(objectClass=user)(cn=a2*))?ou=Service,dc=wago,dc=local?subtree?
> ldap_group_search_base = cn=Users,dc=wago,dc=local?onelevel?(&(objectClass=group)(cn=Domain Users))?ou=Groups,ou=Minden,ou=Germany,dc=wago,dc=local?onelevel?(&(objectClass=group)(cn=&01-PC-Support))
> ldap_netgroup_search_base = cn=Users,dc=wago,dc=local?onelevel?
> ignore_group_members = true
> enumerate = false
> dyndns_update = true
> dyndns_refresh_interval = 7200
> dyndns_update_ptr = true
> dyndns_server = 10.1.100.2
> case_sensitive = Preserving
>
> [nss]
> filter_users = root
> filter_groups = root
>
> [pam]
> offline_credentials_expiration = 0
> offline_failed_login_attempts = 3
> offline_failed_login_delay = 5
>
> And the krb5.conf:
>
> [libdefaults]
> ticket_lifetime = 240:00:00
> renew_lifetime = 240:00:00
> clock_skew = 300
> renewable = true
> default_ccache_name = FILE:/tmp/krb5cc_%{uid}
> default_realm = WAGO.LOCAL
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> udp_preference_limit = 1
> noaddresses = true
> fcc-mit-ticketflags = true
> [realms]
> WAGO.LOCAL = {
> admin_server = 10.1.101.200
> admin_server = 10.1.100.1
> admin_server = 10.1.100.253
> admin_server = 10.1.100.2
> }
> [domain_realm]
> .wago.local = WAGO.LOCAL
> wago.local = WAGO.LOCAL
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
> To solve the issue we delete the computer from the domain, delete the krb5.keytab and rejoin them.
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure