Hi Team, Sorry for the late reply. We are really confused about the behaviour of sssd. We have one machine whose net ads testjoin shows join failed but still I am able to authenticate via my AD ID. Can you help us why is it happening ? It present us to the confusion as what is really right configuration that will remain persistent and not break AD authentication even after server reboot. Below are the output of some important files but do let me know if you need some extra information.
net ads test join output ``` kerberos_kinit_password [email protected] failed: Preauthentication failed kerberos_kinit_password [email protected] failed: Preauthentication failed Join to domain is not valid: Logon failure ``` smb.conf ``` [global] workgroup = ADADMIN client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log realm = AD.ADMIN security = ads netbios name = example1 disable netbios = yes log file = /var/log/samba/log.%m max log size = 50 load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes ``` sssd.conf ``` [sssd] services = nss, pam config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 domains = ad.admin [nss] filter_groups = root filter_users = root reconnection_retries = 3[pam]reconnection_retries = 3 [domain/ad.admin] id_provider = ad cache_credentials = True access_provider = simple ldap_id_mapping = True use_fully_qualified_names = False ad_domain = ad.admin enumerate = false ldap_deref_threshold = 0 ldap_use_tokengroups = False debug_level = 3 [autofs] ``` krb5.conf ``` logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AD.ADMIN dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true ``` Regards Sachin Kumar On Wed, May 3, 2023 at 3:39 PM Sumit Bose <[email protected]> wrote: > Am Wed, May 03, 2023 at 12:17:31PM +0530 schrieb Sac Isilia: > > Hi Team, > > > > We are using sssd in our environment for authentication of AD users. But > it > > disconnect from domain for unknown reasons. > > > > Can someone help if there is some best practice or script that > > automatically rejoin the server to domain as soon as it disconnects? It > has > > become pain for us to do it manually. > > Hi, > > how often does this happen for a single host? If it is around every 30 > days then most probably the automatic renewal of the machine account > password failed. If in your environment computers are not required to > renew their password every 30 days you can disable this feature by > setting > > ad_maximum_machine_account_password_age = 0 > > in the [domain/...] section of sssd.conf and restart SSSSD, see 'man > sssd-ad' for details. > > If you want to debug the issue I suggest to use a test host which is > currently working and set > > ad_maximum_machine_account_password_age = 1 > debug_level = 9 > > in the [domain/...] section of sssd.conf and restart SSSD. This will > tell SSSD to try to renew the machine account password if it is older > than one day and write a detailed debug log. > > Which version of SSSD are you using and on which platform? > > bye, > Sumit > > > > > Regards > > Sachin Kumar > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
