Hello!
I am looking at some errors that I have been seeing in some logs specific to but not limited to RHEL/CentOS 7.x 8.x and Rocky 8.x (SSSD version - sssd-2.4.0-9.el8_4.1.x86_64). All systems are attached to a Windows Active Directory domain using 'adcli'.
The configuration works as expected and seems to see no major problems. Although it does cause some unnecessary noise in the logs. Which prompted me to look at it a little further.
All the logs show the errors that are happening. FYI: Servers are part of a forest and it does look like rdns = false.
Here are all the logs related to the error (If I am missing anything please let me know and I will add it in there ASAP! Some logs are compressed as it repeats itself over and over again.
***Command Used: journalctl -p 4***
Aug 10 10:28:33
EXAMPLE.CC.CC.NET sssd[ldap_child[2972536]][2972536]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/
EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
Aug 10 10:28:33
EXAMPLE.CC.CC.NET sssd[ldap_child[2972537]][2972537]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/
EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
Aug 10 10:28:33
EXAMPLE.CC.CC.NET sssd[ldap_child[2972538]][2972538]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/
EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
Aug 10 10:28:33
EXAMPLE.CC.CC.NET sssd[ldap_child[2972539]][2972539]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/
EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
Aug 10 10:28:33
EXAMPLE.CC.CC.NET sssd[ldap_child[2972540]][2972540]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/
EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
***Command Used: journalctl -u sssd***
Aug 09 14:28:32
EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Aug 09 14:28:32
EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Aug 09 14:28:32
EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Aug 09 14:28:32
EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Aug 09 14:40:52
EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1
Aug 09 14:40:52
EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1
Aug 09 14:40:52
EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1
***KEYTAB***
***KRB5_CHILD.LOG***
(2021-08-10 13:59:37): [krb5_child[3051214]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(2021-08-10 13:59:37): [krb5_child[3051214]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [someuser1\@
EXAMPLE.DOMAIN.COM@EXAMPLE.DOMAIN.COM] might not be correct.
(2021-08-10 14:24:43): [krb5_child[3061023]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(2021-08-10 14:24:43): [krb5_child[3061023]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [someuser1\@
EXAMPLE.DOMAIN.COM@EXAMPLE.DOMAIN.COM] might not be correct.
***LDAP_CHILD.LOG***
(2021-08-10 14:28:33): [ldap_child[3063821]] [ldap_child_get_tgt_sync] (0x0040): krb5_get_init_creds_keytab() failed: -1765328378
(2021-08-10 14:28:33): [ldap_child[3063821]] [ldap_child_get_tgt_sync] (0x0010): Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/
EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
(2021-08-10 14:28:33): [ldap_child[3063821]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(2021-08-10 14:28:33): [ldap_child[3063822]] [ldap_child_get_tgt_sync] (0x0040): krb5_get_init_creds_keytab() failed: -1765328378
(2021-08-10 14:28:33): [ldap_child[3063822]] [ldap_child_get_tgt_sync] (0x0010): Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/
EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
(2021-08-10 14:28:33): [ldap_child[3063822]] [main] (0x0020): ldap_child_get_tgt_sync failed.
***SSSD.CONF***
[sssd]
domains =
EXAMPLE.domain.comconfig_file_version = 2
services = nss, pam
[domain/
EXAMPLE.domain.com]
ad_domain =
EXAMPLE.domain.comad_enable_gc = false
krb5_realm =
EXAMPLE.DOMAIN.COMkrb5_lifetime = 10h
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = true
ldap_purge_cache_timeout = 0
realmd_tags = joined-with-adcli, manages-system
cache_credentials = false
id_provider = ad
krb5_store_password_if_offline = true
default_shell = /bin/bash
ldap_id_mapping = true
ldap_sasl_authid = MYSERVER$@
EXAMPLE.DOMAIN.COMldap_use_tokengroups = true
use_fully_qualified_names = false
fallback_homedir = /home/%d/%u
access_provider = simple
Simple_allow_groups = linux_admins
simple_allow_users = someuser1, someuser2, someuser3
Thank you so much for your help!
--
Jovan Quinones-Morales
Linux Operating Systems Analyst
Technology Services Department
804.828.4810