Hi -
We've been setting up Ubuntu 18.04/20.04 systems which use sssd for authentication as part of a Windows AD domain.
Because users ssh to these machines I've been assigning them easy to remember hostnames (e.g. genbank.biosci) and then using the ad_hostname field in /etc/sssd/sssd.conf for the AD hostname; e.g.
ad_hostname = cns-cryo-genb1.austin.utexas.edu
(The flat AD address space necessitates a not-user-friendly hostnaming convention.)
The problem with this is the systems' kerberos tickets regularly go out of date and then I have run mskutil by hand to get a new krb ticket.
We have a cron job which is supposed to take care of this automatically:
00 12 * * 1,4 root kinit -R -k cns-cryo-genb1$ | logger -t krbtgt
But this appears not to work all of the time. In particular, this error gets logged:
kinit: Preauthentication failed while getting initial credentials
One of my colleagues thinks he's tracked this down to kinit uses adcli for this, but adcli doesn't know about the ad_hostname entry in sssd.conf and instead is looking up and using the system's /etc/hostname.
So, I'm wondering if there is a better solution we're overlooking. Worst case, we can just make the linux hostname match the AD hostname and then use a DNS CNAME for the user's convenience, but I'm just woondering if we're going about this all wrong.
Am Mon, Jun 14, 2021 at 03:29:17PM -0500 schrieb Patrick Goetz:
Hi -
We've been setting up Ubuntu 18.04/20.04 systems which use sssd for authentication as part of a Windows AD domain.
Because users ssh to these machines I've been assigning them easy to remember hostnames (e.g. genbank.biosci) and then using the ad_hostname field in /etc/sssd/sssd.conf for the AD hostname; e.g.
ad_hostname = cns-cryo-genb1.austin.utexas.edu
(The flat AD address space necessitates a not-user-friendly hostnaming convention.)
The problem with this is the systems' kerberos tickets regularly go out of date and then I have run mskutil by hand to get a new krb ticket.
We have a cron job which is supposed to take care of this automatically:
00 12 * * 1,4 root kinit -R -k cns-cryo-genb1$ | logger -t krbtgt
Hi,
this cronjob would of course renew a Kerberos ticket, but I think what you are looking for is the renew the Kerberos keys in the keytab (mskutil would do this). The keys are equivalent to a password and should be renewed on a regular basis, typically Windows clients to this every 30 days.
But this appears not to work all of the time. In particular, this error gets logged:
kinit: Preauthentication failed while getting initial credentials
One of my colleagues thinks he's tracked this down to kinit uses adcli for this, but adcli doesn't know about the ad_hostname entry in sssd.conf and instead is looking up and using the system's /etc/hostname.
I think you mean that SSSD is using adcli. SSSD should use the name set by ad_hostname. To get a detailed output about what SSSD and adcli are doing and why the automatic refresh fails please add 'debug_level = 9' to the [domain/....] section of sssd.conf and restart SSSD. Whenever SSSD is now calling adcli you should see a verbose adcli output in the logs which starts with '--- adcli output start---'.
Typically you should see that the keys are not too old and nothing is done.
For testing you might want to set 'ad_maximum_machine_account_password_age' to '1' (see man sssd-ad for details) which would try to refresh the key after 1 day so that you do not have to wait 30 days until a new attempt to really refresh the key. As an alternative you can expire the key on the AD side as well.
If your KDC needs some time to update the keys you might hit https://krbdev.mit.edu/rt/Ticket/Display.html?id=7905.
HTH
bye, Sumit
So, I'm wondering if there is a better solution we're overlooking. Worst case, we can just make the linux hostname match the AD hostname and then use a DNS CNAME for the user's convenience, but I'm just woondering if we're going about this all wrong. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users@lists.fedorahosted.org