On Tue, Oct 20, 2015 at 09:19:31AM +0200, Jakub Hrozek wrote:
On Mon, Oct 19, 2015 at 08:18:39PM +0000, Thackeray, Neil L wrote:
> I'm encountering a strange problem on some of my Ubuntu 14.0.4 LTS servers. I
have yet to encounter the same problem on any of the CentOS or RHEL6/7 servers.
>
> After a few days of working fine, all of the sudden users can't log in. I can
fix the problem easily by using 'realm leave' and 'realm join', but this
isn't optimal since users can go a day or two before it gets fixed. I thought at first
it was clock drift causing a problem with the Kerberos ticket, but this last time I made
sure to check the date before I rejoined the realm.
>
> Oct 19 10:16:30 myserver [sssd[ldap_child[19092]]]: Preauthentication failed
> Oct 19 10:16:31 myserver [sssd[ldap_child[19093]]]: Failed to initialize credentials
using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create
GSSAPI-encrypted LDAP connection.
>
> sssd 1.12.5
Preauthentication failed normally means wrong password, in this case
wrong keytab. I guess you would see the same error if you run kinit -k
"SHORTNAME$" (you can see the shortname in ldap_child.log as well..)
Are you sure your domain policies don't expire machine passwords after
some time?
I'm pretty sure there is a domain policy active which forces the clients
to renew their password regularly and
https://fedorahosted.org/sssd/ticket/1041 would be the related ticket
for the. Until this is fixed it might help to run msktutil from a
cronjob.
HTH
bye,
Sumit
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users