The machines passwords do change, but there are just a couple machines that seem to be
having this problem so far. The default for AD machine accounts is to change passwords
every 30 days, so I have to think there is something going on with this machine that it is
losing its trust with the AD realm.
[mailto:email@example.com] On Behalf Of Sumit Bose
Sent: Tuesday, October 20, 2015 5:23 AM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] Weird keytab issue
On Tue, Oct 20, 2015 at 09:41:16AM +0200, Sumit Bose wrote:
On Tue, Oct 20, 2015 at 09:19:31AM +0200, Jakub Hrozek wrote:
> On Mon, Oct 19, 2015 at 08:18:39PM +0000, Thackeray, Neil L wrote:
> > I'm encountering a strange problem on some of my Ubuntu 14.0.4 LTS servers.
I have yet to encounter the same problem on any of the CentOS or RHEL6/7 servers.
> > After a few days of working fine, all of the sudden users can't log in. I
can fix the problem easily by using 'realm leave' and 'realm join', but
this isn't optimal since users can go a day or two before it gets fixed. I thought at
first it was clock drift causing a problem with the Kerberos ticket, but this last time I
made sure to check the date before I rejoined the realm.
> > Oct 19 10:16:30 myserver [sssd[ldap_child]]:
> > Preauthentication failed Oct 19 10:16:31 myserver [sssd[ldap_child]]:
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication
failed. Unable to create GSSAPI-encrypted LDAP connection.
> > sssd 1.12.5
> Preauthentication failed normally means wrong password, in this case
> wrong keytab. I guess you would see the same error if you run kinit
> -k "SHORTNAME$" (you can see the shortname in ldap_child.log as
> Are you sure your domain policies don't expire machine passwords
> after some time?
I'm pretty sure there is a domain policy active which forces the
clients to renew their password regularly and
would be the related ticket
for the. Until this is fixed it might help to run msktutil from a
It looks like Ubuntu 14.0.4 has a packaged version of msktutil. I created a copr repo with
a quite recent release at https://copr.fedoraproject.org/coprs/sbose/msktutil/
So far I didn't run any tests with those packages so any feedback is welcome.
> sssd-users mailing list
sssd-users mailing list
sssd-users mailing list