[SSSD-users] Re: Refreshing tickets with msktutil

Fri, 08 Jun 2018 06:24:53 -0700 

On Fri, Jun 08, 2018 at 12:33:05PM +0000, JOHE (John Hearns) wrote:
> sssd version 1.15.0 running on Ubuntu Xenial.
> In my setup sssd is not automatically refreshing computer account tickets 
> after 30 days, for some reason.

Do you have any logs? With debug_level=7 or higher the logs should
contains the adcli debug output which might help to understand why it
failed?

> 
> I found te msktutil package, which has a cron job which runs msktutil 
> --auto-update each day.
> So far so good.
> 
> However  msktutil --auto-update fails but  msktutil --update works OK.
> Can anyone drop me a hint please why this might be so?
> Snippets from the verbose output below.
> 
> /usr/sbin/msktutil --verbose --auto-update
> -- get_default_keytab: Obtaining the default keytab name: 
> FILE:/etc/krb5.keytab
>  -- create_fake_krb5_conf: Created a fake krb5.conf file: 
> /tmp/.msktkrb5.conf-V1URdr
>  -- reload: Reloading Kerberos Context
>  -- finalize_exec: SAM Account Name is: and$
>  -- try_machine_keytab_princ: Trying to authenticate for and$ from local 
> keytab...
>  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed 
> (Preauthentication failed)

This is the typical error code for wrong password/wrong key. Maybe you
can run both commands with

    KRB5_TRACE=/dev/stdout /usr/sbin/msktutil ...

to see if there is any difference?

HTH

bye,
Sumit

>  -- try_machine_keytab_princ: Authentication with keytab failed
> 
> 
> 
> 
> 
> /usr/sbin/msktutil --verbose --update
> -- get_default_keytab: Obtaining the default keytab name: 
> FILE:/etc/krb5.keytab
>  -- create_fake_krb5_conf: Created a fake krb5.conf file: 
> /tmp/.msktkrb5.conf-QXmuHN
>  -- reload: Reloading Kerberos Context
>  -- finalize_exec: SAM Account Name is: and$
>  -- try_machine_keytab_princ: Trying to authenticate for and$ from local 
> keytab...
>  -- switch_default_ccache: Using the local credential cache: 
> FILE:/tmp/.mskt_krb5_ccache-ZChBdy
>  -- finalize_exec: Authenticated using method 1
> 
> 
> 
> 
> 
> 

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/M6PRA5MJYZLF4BBGAGM4RXMJSNK2VRJ6/
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/ZLCMOSTZC7JBIIJQKO3RKMY5DTYLUJMH/

Reply via email to