[SSSD-users] Server not found in Kerberos database

Hello!

I am looking at some errors that I have been seeing in some logs specific to but not limited to RHEL/CentOS 7.x 8.x and Rocky 8.x (SSSD version - sssd-2.4.0-9.el8_4.1.x86_64). All systems are attached to a Windows Active Directory domain using 'adcli'.

The configuration works as expected and seems to see no major problems. Although it does cause some unnecessary noise in the logs. Which prompted me to look at it a little further.

All the logs show the errors that are happening. FYI: Servers are part of a forest and it does look like rdns = false.

Here are all the logs related to the error (If I am missing anything please let me know and I will add it in there ASAP! Some logs are compressed as it repeats itself over and over again.

****Command Used: journalctl -p 4****

Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972536]][2972536]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972537]][2972537]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972538]][2972538]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972539]][2972539]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972540]][2972540]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

****Command Used: journalctl -u sssd****

Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Aug 09 14:40:52 EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1 Aug 09 14:40:52 EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1 Aug 09 14:40:52 EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1

****KEYTAB****

Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 MYSERVER$@EXAMPLE.DOMAIN.COM 2 MYSERVER$@EXAMPLE.DOMAIN.COM 2 host/MYSERVER@EXAMPLE.DOMAIN.COM 2 host/MYSERVER@EXAMPLE.DOMAIN.COM 2 host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM 2 host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM 2 RestrictedKrbHost/MYSERVER@EXAMPLE.DOMAIN.COM 2 RestrictedKrbHost/MYSERVER@EXAMPLE.DOMAIN.COM 2 RestrictedKrbHost/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM 2 RestrictedKrbHost/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM

****KRB5_CHILD.LOG****

(2021-08-10 13:59:37): [krb5_child[3051214]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (2021-08-10 13:59:37): [krb5_child[3051214]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [someuser1@ EXAMPLE.DOMAIN.COM@EXAMPLE.DOMAIN.COM] might not be correct. (2021-08-10 14:24:43): [krb5_child[3061023]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (2021-08-10 14:24:43): [krb5_child[3061023]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [someuser1@ EXAMPLE.DOMAIN.COM@EXAMPLE.DOMAIN.COM] might not be correct.

****LDAP_CHILD.LOG****

(2021-08-10 14:28:33): [ldap_child[3063821]] [ldap_child_get_tgt_sync] (0x0040): krb5_get_init_creds_keytab() failed: -1765328378 (2021-08-10 14:28:33): [ldap_child[3063821]] [ldap_child_get_tgt_sync] (0x0010): Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. (2021-08-10 14:28:33): [ldap_child[3063821]] [main] (0x0020): ldap_child_get_tgt_sync failed. (2021-08-10 14:28:33): [ldap_child[3063822]] [ldap_child_get_tgt_sync] (0x0040): krb5_get_init_creds_keytab() failed: -1765328378 (2021-08-10 14:28:33): [ldap_child[3063822]] [ldap_child_get_tgt_sync] (0x0010): Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. (2021-08-10 14:28:33): [ldap_child[3063822]] [main] (0x0020): ldap_child_get_tgt_sync failed.

****SSSD.CONF****

[sssd] domains = EXAMPLE.domain.com config_file_version = 2 services = nss, pam

[domain/EXAMPLE.domain.com] ad_domain = EXAMPLE.domain.com ad_enable_gc = false krb5_realm = EXAMPLE.DOMAIN.COM krb5_lifetime = 10h subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = true ldap_purge_cache_timeout = 0 realmd_tags = joined-with-adcli, manages-system cache_credentials = false id_provider = ad krb5_store_password_if_offline = true default_shell = /bin/bash ldap_id_mapping = true ldap_sasl_authid = MYSERVER$@EXAMPLE.DOMAIN.COM ldap_use_tokengroups = true use_fully_qualified_names = false fallback_homedir = /home/%d/%u access_provider = simple Simple_allow_groups = linux_admins simple_allow_users = someuser1, someuser2, someuser3

Thank you so much for your help!