I am having a frustrating time trying to figure out what is going on with these Ubuntu servers. I have tried to use msktutil as some have suggested, but this hasn’t worked for me. Every 7 days on the mark I lose my domain connection and have to run realm leave/realm join again. I ran msktutil the day before the ticket was about to expire, so it should have worked. This is only a problem on Ubuntu, CentOS works perfectly fine. I even have one Ubuntu server that works.

 

I also have the problem that the sssd init script, wherever that is now, sometimes thinks that sssd is still running and won’t start again. I then have to run ‘sssd –D’ if I don’t want to restart the server.

 

This is what I get running msktutil.

msktutil --auto-update --verbose:

-- init_password: Wiping the computer password structure

-- generate_new_password: Generating a new, random password for the computer account

-- generate_new_password:  Characters read from /dev/udandom = 86

-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP)

-- get_dc_host: Found DC: udc05.ad.mydomain.com

-- get_dc_host: Canonicalizing DC through forward/reverse lookup...

-- get_dc_host: Found Domain Controller: udc05.ad.mydomain.com

-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab

-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-TSzpEQ

-- reload: Reloading Kerberos Context

-- get_short_hostname: Determined short hostname: myserver-domain-foo-com

Error: The SAM name (myserver-domain-foo-com$) for this host is longer than the maximum of MAX_SAM_ACCOUNT_LEN characters

You can specify a shorter name using --computer-name

-- ~KRB5Context: Destroying Kerberos Context

 

This appears to have worked, but it didn’t.

msktutil --update --computer-name MYSERVER --verbose:

-- init_password: Wiping the computer password structure

-- generate_new_password: Generating a new, random password for the computer account

-- generate_new_password:  Characters read from /dev/udandom = 82

-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP)

-- get_dc_host: Found DC: udc05.ad.mydomain.com

-- get_dc_host: Canonicalizing DC through forward/reverse lookup...

-- get_dc_host: Found Domain Controller: udc05.ad.mydomain.com

-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab

-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ozv4A6

-- reload: Reloading Kerberos Context

-- finalize_exec: SAM Account Name is: MYSERVER$

-- try_machine_keytab_princ: Trying to authenticate for MYSERVER$ from local keytab...

-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ewj6uW

-- finalize_exec: Authenticated using method 1

 

-- ldap_connect: Connecting to LDAP server: udc05.ad.mydomain.com try_tls=YES

-- ldap_connect: Connecting to LDAP server: udc05.ad.mydomain.com try_tls=NO

SASL/GSSAPI authentication started

SASL username: MYSERVER$@AD.MYDOMAIN.COM

SASL SSF: 56

SASL data security layer installed.

-- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 

 

This is what I think is the pertinent portions of the logs from when the computer cant connect anymore.

sssd_ad.mydomain.com.log:

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on [0]

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed)

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'udc02.ad.mydomain.com' as 'not working'

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP

(Wed Nov  4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'udc02.ad.mydomain.com' as 'not working'

 

syslog:

Nov  4 15:26:09 myserver [sssd[ldap_child[25833]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

Nov  4 15:26:09 myserver [sssd[ldap_child[25833]]]: Preauthentication failed

 

Any help is appreciated.