After 30 days of running sssd I found that my test workstation no longer connected to the domain. The machine account password had timed out. I now run a daily cron job using msktutil wihch will auto-update the password.
However I should not have to do this. sssd should update the machine password.
I can see entries in the logs such that the machine account password renewal task is enabled. Then:
[be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
How though can I see if this taks is successful or not? I realise that if the machine account is less than 30 days old the task probably silently completes OK without any logging.
The version of sssd is 16.1 running on Ubuntu
John Hearns
On Mon, Jun 25, 2018 at 05:12:25PM +0200, John Hearns wrote:
After 30 days of running sssd I found that my test workstation no longer connected to the domain. The machine account password had timed out. I now run a daily cron job using msktutil wihch will auto-update the password.
However I should not have to do this. sssd should update the machine password.
I can see entries in the logs such that the machine account password renewal task is enabled. Then:
[be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
How though can I see if this taks is successful or not? I realise that if the machine account is less than 30 days old the task probably silently completes OK without any logging.
Do you have adcli installed?
If you set 'debug_level=7' or higher in the [domain/...] section of sssd.conf you should be able to find the debug output of adcli in the logs, it will start with '--- adcli output start---'.
HTH
bye, Sumit
The version of sssd is 16.1 running on Ubuntu
John Hearns
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
Thankyou Sumit. Indeed I do have adcli installed, and I am investigating this issue usign the higher log level which you suggest.
I think this is a problem with domain names. When I use msktutil to renew the machine password I must explicitly run msktutil ..auto-update --computer-name myhostname
This is because the DNS domain of my workstation does not match the Active Directory realm name
On 4 July 2018 at 08:48, Sumit Bose sbose@redhat.com wrote:
On Mon, Jun 25, 2018 at 05:12:25PM +0200, John Hearns wrote:
After 30 days of running sssd I found that my test workstation no longer connected to the domain. The machine account password had timed out. I now run a daily cron job using msktutil wihch will auto-update the password.
However I should not have to do this. sssd should update the machine password.
I can see entries in the logs such that the machine account password renewal task is enabled. Then:
[be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
How though can I see if this taks is successful or not? I realise that if the machine account is less than 30 days old the task probably silently completes OK without any logging.
Do you have adcli installed?
If you set 'debug_level=7' or higher in the [domain/...] section of sssd.conf you should be able to find the debug output of adcli in the logs, it will start with '--- adcli output start---'.
HTH
bye, Sumit
The version of sssd is 16.1 running on Ubuntu
John Hearns
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
lists.fedorahosted.org/message/2F77SPP4CXHS4YMKCMHIA5EJHI424VNV/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@ lists.fedorahosted.org/message/EHQHLPX24S45CM4ELUUDG7NHQHWQK7TE/
Sumit, thankyou for the advice here. I reduced the password age value, and with the higher logging level the password renewal using adcli was successful. Thanks again.
On 4 July 2018 at 10:03, John Hearns hearnsj@googlemail.com wrote:
Thankyou Sumit. Indeed I do have adcli installed, and I am investigating this issue usign the higher log level which you suggest.
I think this is a problem with domain names. When I use msktutil to renew the machine password I must explicitly run msktutil ..auto-update --computer-name myhostname
This is because the DNS domain of my workstation does not match the Active Directory realm name
On 4 July 2018 at 08:48, Sumit Bose sbose@redhat.com wrote:
On Mon, Jun 25, 2018 at 05:12:25PM +0200, John Hearns wrote:
After 30 days of running sssd I found that my test workstation no longer connected to the domain. The machine account password had timed out. I now run a daily cron job using msktutil wihch will auto-update the password.
However I should not have to do this. sssd should update the machine password.
I can see entries in the logs such that the machine account password renewal task is enabled. Then:
[be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
How though can I see if this taks is successful or not? I realise that if the machine account is less than 30 days old the task probably silently completes OK without any logging.
Do you have adcli installed?
If you set 'debug_level=7' or higher in the [domain/...] section of sssd.conf you should be able to find the debug output of adcli in the logs, it will start with '--- adcli output start---'.
HTH
bye, Sumit
The version of sssd is 16.1 running on Ubuntu
John Hearns
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.or
g/archives/list/sssd-users@lists.fedorahosted.org/message/2F 77SPP4CXHS4YMKCMHIA5EJHI424VNV/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.or g/archives/list/sssd-users@lists.fedorahosted.org/message/EH QHLPX24S45CM4ELUUDG7NHQHWQK7TE/
sssd-users@lists.fedorahosted.org