On Thu, 23 Aug 2018 at 20:29, John Beranek wrote: > > > > On Thu, 23 Aug 2018, 20:18 Sumit Bose, wrote: >> >> On Thu, Aug 23, 2018 at 06:05:19PM +0100, John Beranek wrote: >> > Hi, >> > >> > I was just looking in our Active Directory for computer account for >> > CentOS 6 and 7 servers, and was surprised that the pwdLastSet value >> > for accounts was many months in the past. >> > >> > So, I took a test CentOS 7 server and set the debug_level up to 7. >> > What I found was the following (redacted internal details): >> > >> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute] >> > (0x0400): Task [EXAMPLE machine account password renewal]: executing >> > task, timeout 60 seconds >> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] >> > (0x1000): Waiting for child [186603]. >> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] >> > (0x0020): child [186603] failed with status [3]. >> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler] >> > (0x0400): EOF received, client finished >> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] >> > [ad_machine_account_password_renewal_done] (0x1000): --- adcli output >> > start--- >> > * Found realm in keytab: EXAMPLE.COM >> > * Found computer name in keytab: pal062-dev >> > * Found service principal in keytab: cifs/srv062-dev >> > * Found service principal in keytab: cifs/srv062-dev.EXAMPLE.COM >> > * Using fully qualified name: srv062-dev.EXAMPLE.COM >> > * Using domain name: EXAMPLE.COM >> > * Calculated computer account name from fqdn: SRV062-DEV >> > * Using domain realm: EXAMPLE.COM >> > * Sending netlogon pings to domain controller: cldap://10.20.30.100 >> > * Received NetLogon info from: dc03.EXAMPLE.COM >> > * Wrote out krb5.conf snippet to >> > /tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is >> > ! Couldn't get kerberos ticket for machine account: SRV062-DEV: >> > Keytab contains no suitable keys for SRV062-DEV$@EXAMPLE.COM >> > adcli: couldn't connect to EXAMPLE.COM domain: Couldn't get kerberos >> > ticket for machine account: SRV062-DEV: Keytab contains no suitable >> > keys for SRV062-DEV$@EXAMPLE.COM >> > ---adcli output end--- >> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done] >> > (0x0400): Task [EXAMPLE machine account password renewal]: finished >> > successfully >> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule] >> > (0x0400): Task [EXAMPLE machine account password renewal]: scheduling >> > task 60 seconds from last execution time [1535043525] >> > >> > The server's keytab has: >> > >> > Keytab name: FILE:/etc/krb5.keytab >> > KVNO Timestamp Principal >> > ---- ------------------- >> > ------------------------------------------------------ >> > 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM >> > 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM >> > 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM >> > 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM >> > 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM >> > 23 03/15/2018 09:59:33 cifs/srv062-...@example.com >> > 23 03/15/2018 09:59:33 cifs/srv062-...@example.com >> > 23 03/15/2018 09:59:33 cifs/srv062-...@example.com >> > 23 03/15/2018 09:59:33 cifs/srv062-...@example.com >> > 23 03/15/2018 09:59:33 cifs/srv062-...@example.com >> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad....@example.com >> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad....@example.com >> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad....@example.com >> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad....@example.com >> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad....@example.com >> > >> > Any ideas what could be wrong? Is it potentially because the keytab >> > has srv062-dev$ and not SRV062-DEV$ ? >> >> You are right, adcli unfortunately ignores the lower case version of the >> principal in the keytab and prefers to calculate/guess ("Calculated >> computer account name from fqdn: SRV062-DEV") it on its own. >> >> I fixed this for the next version of RHEL7. > > > Is there a way to join the domain with adcli and get the upper case version > then? (Or I wonder if my keytab format is due to a prior use of "net ads > join" - I honestly forget if that's a possibility)
So, I answered my own question...I rejoined the domain using adcli, and my keytab now has the upper-case version, and the password change from sssd appears to be functioning correctly now. The Samba server on the server is also working for now, so fingers crossed! John -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/LQRAWW2VXSUVYODQWG7YWFCHQFBXBB2F/