Hi, I was just looking in our Active Directory for computer account for CentOS 6 and 7 servers, and was surprised that the pwdLastSet value for accounts was many months in the past.
So, I took a test CentOS 7 server and set the debug_level up to 7. What I found was the following (redacted internal details): (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute] (0x0400): Task [EXAMPLE machine account password renewal]: executing task, timeout 60 seconds (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] (0x1000): Waiting for child [186603]. (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] (0x0020): child [186603] failed with status [3]. (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start--- * Found realm in keytab: EXAMPLE.COM * Found computer name in keytab: pal062-dev * Found service principal in keytab: cifs/srv062-dev * Found service principal in keytab: cifs/srv062-dev.EXAMPLE.COM * Using fully qualified name: srv062-dev.EXAMPLE.COM * Using domain name: EXAMPLE.COM * Calculated computer account name from fqdn: SRV062-DEV * Using domain realm: EXAMPLE.COM * Sending netlogon pings to domain controller: cldap://10.20.30.100 * Received NetLogon info from: dc03.EXAMPLE.COM * Wrote out krb5.conf snippet to /tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is ! Couldn't get kerberos ticket for machine account: SRV062-DEV: Keytab contains no suitable keys for [email protected] adcli: couldn't connect to EXAMPLE.COM domain: Couldn't get kerberos ticket for machine account: SRV062-DEV: Keytab contains no suitable keys for [email protected] ---adcli output end--- (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done] (0x0400): Task [EXAMPLE machine account password renewal]: finished successfully (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule] (0x0400): Task [EXAMPLE machine account password renewal]: scheduling task 60 seconds from last execution time [1535043525] The server's keytab has: Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 23 03/15/2018 09:59:33 [email protected] 23 03/15/2018 09:59:33 [email protected] 23 03/15/2018 09:59:33 [email protected] 23 03/15/2018 09:59:33 [email protected] 23 03/15/2018 09:59:33 [email protected] 23 03/15/2018 09:59:33 cifs/[email protected] 23 03/15/2018 09:59:33 cifs/[email protected] 23 03/15/2018 09:59:33 cifs/[email protected] 23 03/15/2018 09:59:33 cifs/[email protected] 23 03/15/2018 09:59:33 cifs/[email protected] 23 03/15/2018 09:59:33 cifs/[email protected] 23 03/15/2018 09:59:33 cifs/[email protected] 23 03/15/2018 09:59:33 cifs/[email protected] 23 03/15/2018 09:59:33 cifs/[email protected] 23 03/15/2018 09:59:33 cifs/[email protected] Any ideas what could be wrong? Is it potentially because the keytab has srv062-dev$ and not SRV062-DEV$ ? Cheers, John -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/X7R52WLKNOAZKX3HKFUAKRHF5FZS3XKI/
