Am Mon, Jun 14, 2021 at 03:29:17PM -0500 schrieb Patrick Goetz:
We've been setting up Ubuntu 18.04/20.04 systems which use sssd for
authentication as part of a Windows AD domain.
Because users ssh to these machines I've been assigning them easy to
remember hostnames (e.g. genbank.biosci) and then using the ad_hostname
field in /etc/sssd/sssd.conf for the AD hostname; e.g.
ad_hostname = cns-cryo-genb1.austin.utexas.edu
(The flat AD address space necessitates a not-user-friendly hostnaming
The problem with this is the systems' kerberos tickets regularly go out of
date and then I have run mskutil by hand to get a new krb ticket.
We have a cron job which is supposed to take care of this automatically:
00 12 * * 1,4 root kinit -R -k cns-cryo-genb1$ | logger -t krbtgt
this cronjob would of course renew a Kerberos ticket, but I think what
you are looking for is the renew the Kerberos keys in the keytab
(mskutil would do this). The keys are equivalent to a password and should
be renewed on a regular basis, typically Windows clients to this every
But this appears not to work all of the time. In particular, this error
kinit: Preauthentication failed while getting initial credentials
One of my colleagues thinks he's tracked this down to kinit uses adcli for
this, but adcli doesn't know about the ad_hostname entry in sssd.conf and
instead is looking up and using the system's /etc/hostname.
I think you mean that SSSD is using adcli. SSSD should use the name set
by ad_hostname. To get a detailed output about what SSSD and adcli are
doing and why the automatic refresh fails please add 'debug_level = 9'
to the [domain/....] section of sssd.conf and restart SSSD. Whenever
SSSD is now calling adcli you should see a verbose adcli output in the
logs which starts with '--- adcli output start---'.
Typically you should see that the keys are not too old and nothing is
For testing you might want to set
'ad_maximum_machine_account_password_age' to '1' (see man sssd-ad for
details) which would try to refresh the key after 1 day so that you do
not have to wait 30 days until a new attempt to really refresh the key.
As an alternative you can expire the key on the AD side as well.
If your KDC needs some time to update the keys you might hit
So, I'm wondering if there is a better solution we're overlooking. Worst
case, we can just make the linux hostname match the AD hostname and then use
a DNS CNAME for the user's convenience, but I'm just woondering if we're
going about this all wrong.
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure