Hey Joschi,
I was away on holiday so I wasn’t able to get back to this. msktutil –auto-update doesn’t
work because it’s getting the wrong name. It’s trying to use the dns name which when
msktutil tries to use it ends up being in the format myserver-domain-foo-com$. This is the
output:
Error: The SAM name (myserver-domain-foo-com$) for this host is longer than the maximum of
MAX_SAM_ACCOUNT_LEN characters
So I use ‘msktutil --update --computer-name MYSERVER –verbose’, which seems to run if you
look below, but doesn’t seem to really update the actual keytab. It does not update the
keytab after it is run, all the dates stay the same. The last time I tried running
msktutil before the password expired it was a day before expiration, and it didn’t work. I
don’t have it in a cron running daily. I’m stuck with a 7 day renewal, since I don’t run
the AD.
Neil
From: Joschi Brauchle
[mailto:joschi.brauchle@tum.de<mailto:joschi.brauchle@tum.de>]
Sent: Thursday, December 17, 2015 1:12 PM
To: End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>>
Subject: [SSSD-users] Re: Ticket expiring problems still
Hi Neil,
First of all, sorry for entering the discussion without having read all previous thread
messages. I may duplicate some content.
Your first msktutil output is confusing to me, as is ends in an "Error" message.
So I don't understand why you say that it has worked?
Does a
klist -kt /etc/krb5.keytab
show an updated keytab after msktutil --auto-update was run?
In our setup, we have a 30 day password expiry setting in the ad controller. A Cronjob
runs msktutil --auto-update once a day (it actually updates the keytab only after it
expires) and that is sufficient to keep our machines (Ubuntu 14, 15 + opensuse) in the
domain without any further action.
-Joschi
Am 17.12.2015 um 18:40 schrieb Thackeray, Neil L
<neilt@illinois.edu<mailto:neilt@illinois.edu>>:
I am having a frustrating time trying to figure out what is going on with these Ubuntu
servers. I have tried to use msktutil as some have suggested, but this hasn’t worked for
me. Every 7 days on the mark I lose my domain connection and have to run realm leave/realm
join again. I ran msktutil the day before the ticket was about to expire, so it should
have worked. This is only a problem on Ubuntu, CentOS works perfectly fine. I even have
one Ubuntu server that works.
I also have the problem that the sssd init script, wherever that is now, sometimes thinks
that sssd is still running and won’t start again. I then have to run ‘sssd –D’ if I don’t
want to restart the server.
This is what I get running msktutil.
msktutil --auto-update --verbose:
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/udandom = 86
-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP)
-- get_dc_host: Found DC:
udc05.ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=http-...
-- get_dc_host: Canonicalizing DC through forward/reverse lookup...
-- get_dc_host: Found Domain Controller:
udc05.ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=http-...
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-TSzpEQ
-- reload: Reloading Kerberos Context
-- get_short_hostname: Determined short hostname: myserver-domain-foo-com
Error: The SAM name (myserver-domain-foo-com$) for this host is longer than the maximum of
MAX_SAM_ACCOUNT_LEN characters
You can specify a shorter name using --computer-name
-- ~KRB5Context: Destroying Kerberos Context
This appears to have worked, but it didn’t.
msktutil --update --computer-name MYSERVER --verbose:
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/udandom = 82
-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP)
-- get_dc_host: Found DC:
udc05.ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=http-...
-- get_dc_host: Canonicalizing DC through forward/reverse lookup...
-- get_dc_host: Found Domain Controller:
udc05.ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=http-...
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ozv4A6
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: MYSERVER$
-- try_machine_keytab_princ: Trying to authenticate for MYSERVER$ from local keytab...
-- switch_default_ccache: Using the local credential cache:
FILE:/tmp/.mskt_krb5_ccache-ewj6uW
-- finalize_exec: Authenticated using method 1
-- ldap_connect: Connecting to LDAP server:
udc05.ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=http-...
try_tls=YES
-- ldap_connect: Connecting to LDAP server:
udc05.ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=http-...
try_tls=NO
SASL/GSSAPI authentication started
SASL username: MYSERVER$@AD.MYDOMAIN.COM<mailto:MYSERVER$@ad.mydomain.com>
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
This is what I think is the pertinent portions of the logs from when the computer cant
connect anymore.
sssd_ad.mydomain.com.log:
(Wed Nov 4 15:26:09 2015)
[
sssd[be[ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=htt...]
[sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on
[0]
(Wed Nov 4 15:26:09 2015)
[
sssd[be[ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=htt...]
[sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Wed Nov 4 15:26:09 2015)
[
sssd[be[ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=htt...]
[sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication
Failed)
(Wed Nov 4 15:26:09 2015)
[
sssd[be[ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=htt...]
[fo_set_port_status] (0x0100): Marking port 389 of server
'udc02.ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__udc02.ad.mydomain.com&d=BQMF-g&c=8hUWFZcy2Z-Za5rBPlktOQ&r=s5tDmtNCDZl57cCxwg2KM4xI8Zqq9x-22CrUmJI7h7M&m=zkNHhN52-zwRT7x8kkfGmAeFJxxAD8j2jvMB7yh9miE&s=snoF_MvPwCM79eFbcPTZcLYKlg63XjLJwZAO0xR4Qvs&e=>'
as 'not working'
(Wed Nov 4 15:26:09 2015)
[
sssd[be[ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=htt...]
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Wed Nov 4 15:26:09 2015)
[
sssd[be[ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=htt...]
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server
'udc02.ad.mydomain.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__udc02.ad.mydomain.com&d=BQMF-g&c=8hUWFZcy2Z-Za5rBPlktOQ&r=s5tDmtNCDZl57cCxwg2KM4xI8Zqq9x-22CrUmJI7h7M&m=zkNHhN52-zwRT7x8kkfGmAeFJxxAD8j2jvMB7yh9miE&s=snoF_MvPwCM79eFbcPTZcLYKlg63XjLJwZAO0xR4Qvs&e=>'
as 'not working'
syslog:
Nov 4 15:26:09 myserver [sssd[ldap_child[25833]]]: Failed to initialize credentials using
keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create
GSSAPI-encrypted LDAP connection.
Nov 4 15:26:09 myserver [sssd[ldap_child[25833]]]: Preauthentication failed
Any help is appreciated.
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted....
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted....