On Thu, Jan 26, 2017 at 09:12:06PM -0000, smfrench(a)gmail.com wrote:
We do see errors in the log, although not clear yet if the large
number of them were due to sssd service not being restarted (we fixed that and still saw
the same two errors in the logs - just not sure if as often)
"(Wed Jan 25 21:50:20 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data
Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]" in the
sssd log and about 7000 occurrences in the ldap log of
[[sssd[ldap_child[7916]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init
credentials: Preauthentication failed
This looks like the keytab with the hostkey used by SSSD to authenticate
against AD is broken.
You can check the keytab content with
klist -k
there should be an entry looking like 'NAME$(a)AD.REALM', please try if
kinit -k 'NAME$(a)AD.REALM'
works or if it returns a 'Preauthentication failed' error as well. In
this case you should try to join the AD domain again. If you use realmd
to join the keytab will be updated automatically. If you use 'net ads
join' you might have to call 'net ads keytab create' afterwards as well.
HTH
bye,
Sumit
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org