Hi Sebastian,

Please check if SELinux context of /etc/krb5.keytab file is correct.
I have seen this issue a couple of times when SELinux prevented adcli from writing to this file when it was invoked from SSSD. Thus, the password adcli changed the password in AD, but was unable to write it to /etc/krb5.keytab.
You have the last password change timestamp in AD - this timestamp can help with investigation. You can examine the system logs for this date for any errors. In my case, there were SELinux denied events for /etc/krb5.keytab in the audit log.


Kind regards,
Grigory Trenin

ср, 19 янв. 2022 г. в 13:39, Sebastian Grebe <sebastian.grebe@wago.com>:
Hello,

we are getting report from users where they suddenly can‘t authenticate to their Linux computers anymore. These computers are joint to ore MS Domain using adcli und sssd. Checking the log reveals that the kerberos tickets stored in  /etc/krb5.keytab do not have the expected KVON. At the moment we can’t tell what’s causing the issue. It happens only sporadically. I’m under the impression only computer without permanent network connection (Laptops) are affected.

The log shows:

Jan 11 09:30:52 lc015564 systemd[1]: Starting System Security Services Daemon...
Jan 11 09:30:52 lc015564 sssd[1376]: Starting up
Jan 11 09:30:52 lc015564 sssd_be[1609]: Starting up
Jan 11 09:30:52 lc015564 sssd_ifp[1633]: Starting up
Jan 11 09:30:52 lc015564 systemd[1]: Started System Security Services Daemon.
Jan 11 09:30:55 lc015564 sssd_be[1609]: Backend is offline
Jan 11 09:49:32 lc015564 sssd_be[1609]: Backend is online
Jan 11 09:49:41 lc015564 krb5_child[6111]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab
Jan 11 09:49:41 lc015564 krb5_child[6111]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab
Jan 11 09:49:49 lc015564 adcli[6102]: GSSAPI client step 1
Jan 11 09:49:49 lc015564 adcli[6102]: GSSAPI client step 1
Jan 11 09:49:50 lc015564 adcli[6102]: GSSAPI client step 1
Jan 11 10:00:57 lc015564 krb5_child[6838]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab
Jan 11 10:00:57 lc015564 krb5_child[6838]: Cannot find key for LC015564$@WAGO.LOCAL kvno 11 in keytab

And klist -k shows:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  10 LC015564$@WAGO.LOCAL
  10 LC015564$@WAGO.LOCAL
  10 LC015564$@WAGO.LOCAL
  10 host/LC015564@WAGO.LOCAL
  10 host/LC015564@WAGO.LOCAL
  10 host/LC015564@WAGO.LOCAL
  10 host/lc015564.wago.local@WAGO.LOCAL
  10 host/lc015564.wago.local@WAGO.LOCAL
  10 host/lc015564.wago.local@WAGO.LOCAL
  10 RestrictedKrbHost/LC015564@WAGO.LOCAL
  10 RestrictedKrbHost/LC015564@WAGO.LOCAL
  10 RestrictedKrbHost/LC015564@WAGO.LOCAL
  10 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
  10 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
  10 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
   9 LC015564$@WAGO.LOCAL
   9 LC015564$@WAGO.LOCAL
   9 LC015564$@WAGO.LOCAL
   9 host/LC015564@WAGO.LOCAL
   9 host/LC015564@WAGO.LOCAL
   9 host/LC015564@WAGO.LOCAL
   9 host/lc015564.wago.local@WAGO.LOCAL
   9 host/lc015564.wago.local@WAGO.LOCAL
   9 host/lc015564.wago.local@WAGO.LOCAL
   9 RestrictedKrbHost/LC015564@WAGO.LOCAL
   9 RestrictedKrbHost/LC015564@WAGO.LOCAL
   9 RestrictedKrbHost/LC015564@WAGO.LOCAL
   9 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
   9 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL
   9 RestrictedKrbHost/lc015564.wago.local@WAGO.LOCAL

This is a our sssd.conf (it's from o different computer):

[sssd]
domains = wago.local
config_file_version = 2
services = ifp

[domain/wago.local]
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
cache_credentials = true
krb5_store_password_if_offline = true
krb5_realm = WAGO.LOCAL
krb5_ccname_template = /tmp/krb5cc_%U
realmd_tags = manages-system joined-with-adcli
id_provider = ad
access_provider = ad
ad_domain = wago.local
ad_enabled_domains = wago.local
ad_hostname = lc017547.wago.local
use_fully_qualified_names = false
ldap_id_mapping = true
ldap_user_gecos = displayName
ldap_use_tokengroups = false
ldap_search_base = dc=wago,dc=local?subtree?
ldap_user_search_base = ou=User,ou=Minden,ou=Germany,dc=wago,dc=local?subtree??ou=User,ou=Administration,dc=wago,dc=local?onelevel?(&(objectClass=user)(cn=a2*))?ou=Service,dc=wago,dc=local?subtree?
ldap_group_search_base = cn=Users,dc=wago,dc=local?onelevel?(&(objectClass=group)(cn=Domain Users))?ou=Groups,ou=Minden,ou=Germany,dc=wago,dc=local?onelevel?(&(objectClass=group)(cn=&01-PC-Support))
ldap_netgroup_search_base = cn=Users,dc=wago,dc=local?onelevel?
ignore_group_members = true
enumerate = false
dyndns_update = true
dyndns_refresh_interval = 7200
dyndns_update_ptr = true
dyndns_server = 10.1.100.2
case_sensitive = Preserving

[nss]
filter_users = root
filter_groups = root

[pam]
offline_credentials_expiration = 0
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

And the krb5.conf:

[libdefaults]
ticket_lifetime = 240:00:00
renew_lifetime = 240:00:00
clock_skew = 300
renewable = true
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
default_realm = WAGO.LOCAL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
udp_preference_limit = 1
noaddresses = true
fcc-mit-ticketflags = true
[realms]
WAGO.LOCAL = {
  admin_server = 10.1.101.200
  admin_server = 10.1.100.1
  admin_server = 10.1.100.253
  admin_server = 10.1.100.2
}
[domain_realm]
.wago.local = WAGO.LOCAL
wago.local  = WAGO.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false

To solve the issue we delete the computer from the domain, delete the krb5.keytab and rejoin them.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure