Hi Sebastian, Please check if SELinux context of /etc/krb5.keytab file is correct. I have seen this issue a couple of times when SELinux prevented adcli from writing to this file when it was invoked from SSSD. Thus, the password adcli changed the password in AD, but was unable to write it to /etc/krb5.keytab. You have the last password change timestamp in AD - this timestamp can help with investigation. You can examine the system logs for this date for any errors. In my case, there were SELinux denied events for /etc/krb5.keytab in the audit log.
Kind regards, Grigory Trenin ср, 19 янв. 2022 г. в 13:39, Sebastian Grebe <[email protected]>: > Hello, > > we are getting report from users where they suddenly can‘t authenticate to > their Linux computers anymore. These computers are joint to ore MS Domain > using adcli und sssd. Checking the log reveals that the kerberos tickets > stored in /etc/krb5.keytab do not have the expected KVON. At the moment we > can’t tell what’s causing the issue. It happens only sporadically. I’m > under the impression only computer without permanent network connection > (Laptops) are affected. > > The log shows: > > Jan 11 09:30:52 lc015564 systemd[1]: Starting System Security Services > Daemon... > Jan 11 09:30:52 lc015564 sssd[1376]: Starting up > Jan 11 09:30:52 lc015564 sssd_be[1609]: Starting up > Jan 11 09:30:52 lc015564 sssd_ifp[1633]: Starting up > Jan 11 09:30:52 lc015564 systemd[1]: Started System Security Services > Daemon. > Jan 11 09:30:55 lc015564 sssd_be[1609]: Backend is offline > Jan 11 09:49:32 lc015564 sssd_be[1609]: Backend is online > Jan 11 09:49:41 lc015564 krb5_child[6111]: Cannot find key for > [email protected] kvno 11 in keytab > Jan 11 09:49:41 lc015564 krb5_child[6111]: Cannot find key for > [email protected] kvno 11 in keytab > Jan 11 09:49:49 lc015564 adcli[6102]: GSSAPI client step 1 > Jan 11 09:49:49 lc015564 adcli[6102]: GSSAPI client step 1 > Jan 11 09:49:50 lc015564 adcli[6102]: GSSAPI client step 1 > Jan 11 10:00:57 lc015564 krb5_child[6838]: Cannot find key for > [email protected] kvno 11 in keytab > Jan 11 10:00:57 lc015564 krb5_child[6838]: Cannot find key for > [email protected] kvno 11 in keytab > > And klist -k shows: > > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 10 [email protected] > 10 [email protected] > 10 [email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 RestrictedKrbHost/[email protected] > 10 RestrictedKrbHost/[email protected] > 10 RestrictedKrbHost/[email protected] > 10 RestrictedKrbHost/[email protected] > 10 RestrictedKrbHost/[email protected] > 10 RestrictedKrbHost/[email protected] > 9 [email protected] > 9 [email protected] > 9 [email protected] > 9 host/[email protected] > 9 host/[email protected] > 9 host/[email protected] > 9 host/[email protected] > 9 host/[email protected] > 9 host/[email protected] > 9 RestrictedKrbHost/[email protected] > 9 RestrictedKrbHost/[email protected] > 9 RestrictedKrbHost/[email protected] > 9 RestrictedKrbHost/[email protected] > 9 RestrictedKrbHost/[email protected] > 9 RestrictedKrbHost/[email protected] > > This is a our sssd.conf (it's from o different computer): > > [sssd] > domains = wago.local > config_file_version = 2 > services = ifp > > [domain/wago.local] > default_shell = /bin/bash > fallback_homedir = /home/%d/%u > cache_credentials = true > krb5_store_password_if_offline = true > krb5_realm = WAGO.LOCAL > krb5_ccname_template = /tmp/krb5cc_%U > realmd_tags = manages-system joined-with-adcli > id_provider = ad > access_provider = ad > ad_domain = wago.local > ad_enabled_domains = wago.local > ad_hostname = lc017547.wago.local > use_fully_qualified_names = false > ldap_id_mapping = true > ldap_user_gecos = displayName > ldap_use_tokengroups = false > ldap_search_base = dc=wago,dc=local?subtree? > ldap_user_search_base = > ou=User,ou=Minden,ou=Germany,dc=wago,dc=local?subtree??ou=User,ou=Administration,dc=wago,dc=local?onelevel?(&(objectClass=user)(cn=a2*))?ou=Service,dc=wago,dc=local?subtree? > ldap_group_search_base = > cn=Users,dc=wago,dc=local?onelevel?(&(objectClass=group)(cn=Domain > Users))?ou=Groups,ou=Minden,ou=Germany,dc=wago,dc=local?onelevel?(&(objectClass=group)(cn=&01-PC-Support)) > ldap_netgroup_search_base = cn=Users,dc=wago,dc=local?onelevel? > ignore_group_members = true > enumerate = false > dyndns_update = true > dyndns_refresh_interval = 7200 > dyndns_update_ptr = true > dyndns_server = 10.1.100.2 > case_sensitive = Preserving > > [nss] > filter_users = root > filter_groups = root > > [pam] > offline_credentials_expiration = 0 > offline_failed_login_attempts = 3 > offline_failed_login_delay = 5 > > And the krb5.conf: > > [libdefaults] > ticket_lifetime = 240:00:00 > renew_lifetime = 240:00:00 > clock_skew = 300 > renewable = true > default_ccache_name = FILE:/tmp/krb5cc_%{uid} > default_realm = WAGO.LOCAL > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > udp_preference_limit = 1 > noaddresses = true > fcc-mit-ticketflags = true > [realms] > WAGO.LOCAL = { > admin_server = 10.1.101.200 > admin_server = 10.1.100.1 > admin_server = 10.1.100.253 > admin_server = 10.1.100.2 > } > [domain_realm] > .wago.local = WAGO.LOCAL > wago.local = WAGO.LOCAL > [login] > krb4_convert = true > krb4_get_tickets = false > > To solve the issue we delete the computer from the domain, delete the > krb5.keytab and rejoin them. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
