Hello,
I am getting the same errors in syslog on CentOS 6.7 and 7.1.
When I issue a plain 'klist /etc/krb5.keytab' I get the following:
However 'klist -ke' and the like are working, I was wondering if you are
seeing the same Neil?
Maybe because of this bad format, sssd cannot read it and thus it is an
msktutil issue?
Maybe we can circumvent this by using some option with msktutil?
Regards,
Andy
On 18 December 2015 at 01:06, Thackeray, Neil L <neilt(a)illinois.edu> wrote:
msktutil –auto-update is grabbing the DNS name for some reason and
trying
to use that. I have to specify –computer-name for it to seemingly work,
which it doesn’t.
When I do a klist –kt it doesn’t show any updated entries in the keytab
file.
*From:* Joschi Brauchle [mailto:joschi.brauchle@tum.de]
*Sent:* Thursday, December 17, 2015 1:12 PM
*To:* End-user discussions about the System Security Services Daemon <
sssd-users(a)lists.fedorahosted.org>
*Subject:* [SSSD-users] Re: Ticket expiring problems still
Hi Neil,
First of all, sorry for entering the discussion without having read all
previous thread messages. I may duplicate some content.
Your first msktutil output is confusing to me, as is ends in an "Error"
message. So I don't understand why you say that it has worked?
Does a
klist -kt /etc/krb5.keytab
show an updated keytab after msktutil --auto-update was run?
In our setup, we have a 30 day password expiry setting in the ad
controller. A Cronjob runs msktutil --auto-update once a day (it actually
updates the keytab only after it expires) and that is sufficient to keep
our machines (Ubuntu 14, 15 + opensuse) in the domain without any further
action.
-Joschi
Am 17.12.2015 um 18:40 schrieb Thackeray, Neil L <neilt(a)illinois.edu>:
I am having a frustrating time trying to figure out what is going on with
these Ubuntu servers. I have tried to use msktutil as some have suggested,
but this hasn’t worked for me. Every 7 days on the mark I lose my domain
connection and have to run realm leave/realm join again. I ran msktutil the
day before the ticket was about to expire, so it should have worked. This
is only a problem on Ubuntu, CentOS works perfectly fine. I even have one
Ubuntu server that works.
I also have the problem that the sssd init script, wherever that is now,
sometimes thinks that sssd is still running and won’t start again. I then
have to run ‘sssd –D’ if I don’t want to restart the server.
This is what I get running msktutil.
msktutil --auto-update --verbose:
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 86
-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR
TCP)
-- get_dc_host: Found DC:
udc05.ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__udc05.ad.mydomain.com...
-- get_dc_host: Canonicalizing DC through forward/reverse lookup...
-- get_dc_host: Found Domain Controller:
udc05.ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__udc05.ad.mydomain.com...
-- get_default_keytab: Obtaining the default keytab name:
FILE:/etc/krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-TSzpEQ
-- reload: Reloading Kerberos Context
-- get_short_hostname: Determined short hostname: myserver-domain-foo-com
Error: The SAM name (myserver-domain-foo-com$) for this host is longer
than the maximum of MAX_SAM_ACCOUNT_LEN characters
You can specify a shorter name using --computer-name
-- ~KRB5Context: Destroying Kerberos Context
This appears to have worked, but it didn’t.
msktutil --update --computer-name MYSERVER --verbose:
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 82
-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR
TCP)
-- get_dc_host: Found DC:
udc05.ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__udc05.ad.mydomain.com...
-- get_dc_host: Canonicalizing DC through forward/reverse lookup...
-- get_dc_host: Found Domain Controller:
udc05.ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__udc05.ad.mydomain.com...
-- get_default_keytab: Obtaining the default keytab name:
FILE:/etc/krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-ozv4A6
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: MYSERVER$
-- try_machine_keytab_princ: Trying to authenticate for MYSERVER$ from
local keytab...
-- switch_default_ccache: Using the local credential cache:
FILE:/tmp/.mskt_krb5_ccache-ewj6uW
-- finalize_exec: Authenticated using method 1
-- ldap_connect: Connecting to LDAP server:
udc05.ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__udc05.ad.mydomain.com...
try_tls=YES
-- ldap_connect: Connecting to LDAP server:
udc05.ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__udc05.ad.mydomain.com...
try_tls=NO
SASL/GSSAPI authentication started
SASL username: MYSERVER$(a)AD.MYDOMAIN.COM <MYSERVER$(a)ad.mydomain.com>
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
This is what I think is the pertinent portions of the logs from when the
computer cant connect anymore.
sssd_ad.mydomain.com.log:
(Wed Nov 4 15:26:09 2015) [
sssd[be[ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__ad.mydomain.com&d...
[sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication
failed], expired on [0]
(Wed Nov 4 15:26:09 2015) [
sssd[be[ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__ad.mydomain.com&d...
[sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Wed Nov 4 15:26:09 2015) [
sssd[be[ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__ad.mydomain.com&d...
[sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret
[1432158219](Authentication Failed)
(Wed Nov 4 15:26:09 2015) [
sssd[be[ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__ad.mydomain.com&d...
[fo_set_port_status] (0x0100): Marking port 389 of server '
udc02.ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__udc02.ad.mydomain.com...
as 'not working'
(Wed Nov 4 15:26:09 2015) [
sssd[be[ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__ad.mydomain.com&d...
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Wed Nov 4 15:26:09 2015) [
sssd[be[ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__ad.mydomain.com&d...
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server '
udc02.ad.mydomain.com
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__udc02.ad.mydomain.com...
as 'not working'
syslog:
Nov 4 15:26:09 myserver [sssd[ldap_child[25833]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication
failed. Unable to create GSSAPI-encrypted LDAP connection.
Nov 4 15:26:09 myserver [sssd[ldap_child[25833]]]: Preauthentication
failed
Any help is appreciated.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
<
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org