Subject: SSSD Service cannot start: Someone deleted /etc/sssd/sssd.conf and /etc/krb5.keytab from RHEL 7 server
Good day from Singapore, Today 22 Jun 2022 Wednesday, I discovered that someone deleted /etc/sssd/sssd.conf and /etc/krb5.keytab from one of the Red Hat Enterprise Linux (RHEL) 7 servers. Hence System Security Services Daemon (SSSD) cannot start. I have solved it by copying /etc/sssd/sssd.conf from another RHEL 7 server and generating kerberos keytab file on the Active Directory Domain Controller Windows Server. Here is an edited sample of our /etc/sssd/sssd.conf file. [sssd] domains = project.domain.com config_file_version = 2 services = nss, pam [domain/project.domain.com] ad_server = addc01.project.domain.com ad_domain = project.domain.com krb5_realm = PROJECT.DOMAIN.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u%d access_provider = ad The 2 Windows Server commands I used to create a kerberos keytab are: [1] setspn -A host/rhel7.project.domain.com rhel7 [2] ktpass /princ host/rhel7.project.domain....@project.domain.com /out rhel7.keytab /crypto All /ptype KRB5_NT_PRINCIPAL -desonly /mapuser PROJECT\rhel7$ +setupn +rndPass +setpass +answer After generating rhel7.keytab on the Active Directory Domain Controller Windows Server, copy the keytab file to the target RHEL 7 server as /etc/krb5.keytab. As we do not have direct SSH access to the target RHEL 7 server, I have to copy out rhel7.keytab from the Windows Server using winscp. Then I use winscp again to upload rhel7.keytab to another intermediate RHEL 7 server. From the intermediate RHEL 7 server, I used the following Linux command to transfer rhel7.keytab to the target RHEL 7 server. $ scp rhel7.keytab user@<IP address of target RHEL 7 server>:/home/user/rhel7.keytab On the target RHEL 7 server, run the following Linux commands: $ sudo cp rhel7.keytab /etc/krb5.keytab Then $ su - # systemctl start sssd.service # systemctl status sssd.service I have solved the problem! Reference Guides ================ [1] 22.8.1 Configuring an SSSD Server Link: https://docs.oracle.com/cd/E37670_01/E41138/html/ch22s08s01.html [2] How to create a kerberos keytab on Active Directory for Red Hat Enterprise Linux Link: https://access.redhat.com/solutions/208173 Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore 22 Jun 2022 Wednesday Blogs: https://tdtemcerts.blogspot.com/ https://tdtemcerts.wordpress.com/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
