sssd version 1.15.0 running on Ubuntu Xenial. In my setup sssd is not automatically refreshing computer account tickets after 30 days, for some reason.
I found te msktutil package, which has a cron job which runs msktutil --auto-update each day. So far so good.
However msktutil --auto-update fails but msktutil --update works OK. Can anyone drop me a hint please why this might be so? Snippets from the verbose output below.
/usr/sbin/msktutil --verbose --auto-update -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-V1URdr -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: and$ -- try_machine_keytab_princ: Trying to authenticate for and$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed
/usr/sbin/msktutil --verbose --update -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QXmuHN -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: and$ -- try_machine_keytab_princ: Trying to authenticate for and$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZChBdy -- finalize_exec: Authenticated using method 1
On Fri, Jun 08, 2018 at 12:33:05PM +0000, JOHE (John Hearns) wrote:
sssd version 1.15.0 running on Ubuntu Xenial. In my setup sssd is not automatically refreshing computer account tickets after 30 days, for some reason.
Do you have any logs? With debug_level=7 or higher the logs should contains the adcli debug output which might help to understand why it failed?
I found te msktutil package, which has a cron job which runs msktutil --auto-update each day. So far so good.
However msktutil --auto-update fails but msktutil --update works OK. Can anyone drop me a hint please why this might be so? Snippets from the verbose output below.
/usr/sbin/msktutil --verbose --auto-update -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-V1URdr -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: and$ -- try_machine_keytab_princ: Trying to authenticate for and$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
This is the typical error code for wrong password/wrong key. Maybe you can run both commands with
KRB5_TRACE=/dev/stdout /usr/sbin/msktutil ...
to see if there is any difference?
HTH
bye, Sumit
-- try_machine_keytab_princ: Authentication with keytab failed
/usr/sbin/msktutil --verbose --update -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QXmuHN -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: and$ -- try_machine_keytab_princ: Trying to authenticate for and$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZChBdy -- finalize_exec: Authenticated using method 1
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
On Fri, Jun 08, 2018 at 12:33:05PM +0000, JOHE (John Hearns) wrote:
sssd version 1.15.0 running on Ubuntu Xenial. In my setup sssd is not automatically refreshing computer account tickets after 30 days, for some reason.
Does the machine that is not refreshing the tickets have adcli installed?
I found te msktutil package, which has a cron job which runs msktutil --auto-update each day. So far so good.
However msktutil --auto-update fails but msktutil --update works OK. Can anyone drop me a hint please why this might be so? Snippets from the verbose output below.
/usr/sbin/msktutil --verbose --auto-update -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-V1URdr -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: and$ -- try_machine_keytab_princ: Trying to authenticate for and$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed
/usr/sbin/msktutil --verbose --update -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QXmuHN -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: and$ -- try_machine_keytab_princ: Trying to authenticate for and$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZChBdy -- finalize_exec: Authenticated using method 1
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
sssd-users@lists.fedorahosted.org