Hello,
we are getting report from users where they suddenly can‘t authenticate to
their Linux computers anymore. These computers are joint to ore MS Domain using
adcli und sssd. Checking the log reveals that the kerberos tickets stored in
/etc/krb5.keytab do not have the expected KVON. At the
Hi Sebastian,
Please check if SELinux context of /etc/krb5.keytab file is correct.
I have seen this issue a couple of times when SELinux prevented adcli from
writing to this file when it was invoked from SSSD. Thus, the password
adcli changed the password in AD, but was unable to write it to
Justin,
if it's https://krbdev.mit.edu/rt/Ticket/Display.html?id=9037 , then it's
even more evil to positively prove than dialing up the sssd debug level.
The min debug level to get verbose adcli update output is debug level 7.
Even running at this debug level for just a few days swamps the
Hi,
It sounds like a problem occurs when SSSD executes 'adcli update' to
renew the machine account password, if successful the AD DC computer
object password is updated and the new keys are written to the keytab.
If a failure occurs however it may have caused these two things to go
out of sync.
