Hi Neil, First of all, sorry for entering the discussion without having read all previous thread messages. I may duplicate some content.
Your first msktutil output is confusing to me, as is ends in an "Error" message. So I don't understand why you say that it has worked? Does a klist -kt /etc/krb5.keytab show an updated keytab after msktutil --auto-update was run? In our setup, we have a 30 day password expiry setting in the ad controller. A Cronjob runs msktutil --auto-update once a day (it actually updates the keytab only after it expires) and that is sufficient to keep our machines (Ubuntu 14, 15 + opensuse) in the domain without any further action. -Joschi Am 17.12.2015 um 18:40 schrieb Thackeray, Neil L <[email protected]<mailto:[email protected]>>: I am having a frustrating time trying to figure out what is going on with these Ubuntu servers. I have tried to use msktutil as some have suggested, but this hasn’t worked for me. Every 7 days on the mark I lose my domain connection and have to run realm leave/realm join again. I ran msktutil the day before the ticket was about to expire, so it should have worked. This is only a problem on Ubuntu, CentOS works perfectly fine. I even have one Ubuntu server that works. I also have the problem that the sssd init script, wherever that is now, sometimes thinks that sssd is still running and won’t start again. I then have to run ‘sssd –D’ if I don’t want to restart the server. This is what I get running msktutil. msktutil --auto-update --verbose: -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 86 -- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP) -- get_dc_host: Found DC: udc05.ad.mydomain.com<http://udc05.ad.mydomain.com> -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: udc05.ad.mydomain.com<http://udc05.ad.mydomain.com> -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-TSzpEQ -- reload: Reloading Kerberos Context -- get_short_hostname: Determined short hostname: myserver-domain-foo-com Error: The SAM name (myserver-domain-foo-com$) for this host is longer than the maximum of MAX_SAM_ACCOUNT_LEN characters You can specify a shorter name using --computer-name -- ~KRB5Context: Destroying Kerberos Context This appears to have worked, but it didn’t. msktutil --update --computer-name MYSERVER --verbose: -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 82 -- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP) -- get_dc_host: Found DC: udc05.ad.mydomain.com<http://udc05.ad.mydomain.com> -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: udc05.ad.mydomain.com<http://udc05.ad.mydomain.com> -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ozv4A6 -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: MYSERVER$ -- try_machine_keytab_princ: Trying to authenticate for MYSERVER$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ewj6uW -- finalize_exec: Authenticated using method 1 -- ldap_connect: Connecting to LDAP server: udc05.ad.mydomain.com<http://udc05.ad.mydomain.com> try_tls=YES -- ldap_connect: Connecting to LDAP server: udc05.ad.mydomain.com<http://udc05.ad.mydomain.com> try_tls=NO SASL/GSSAPI authentication started SASL username: [email protected]<mailto:[email protected]> SASL SSF: 56 SASL data security layer installed. -- ldap_connect: LDAP_OPT_X_SASL_SSF=56 This is what I think is the pertinent portions of the logs from when the computer cant connect anymore. sssd_ad.mydomain.com.log: (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com<http://ad.mydomain.com>]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on [0] (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com<http://ad.mydomain.com>]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com<http://ad.mydomain.com>]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed) (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com<http://ad.mydomain.com>]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'udc02.ad.mydomain.com<http://udc02.ad.mydomain.com>' as 'not working' (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com<http://ad.mydomain.com>]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com<http://ad.mydomain.com>]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'udc02.ad.mydomain.com<http://udc02.ad.mydomain.com>' as 'not working' syslog: Nov 4 15:26:09 myserver [sssd[ldap_child[25833]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. Nov 4 15:26:09 myserver [sssd[ldap_child[25833]]]: Preauthentication failed Any help is appreciated. _______________________________________________ sssd-users mailing list [email protected]<mailto:[email protected]> https://lists.fedorahosted.org/admin/lists/[email protected]
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
