12:05 p.m.
Hi,
I was just looking in our Active Directory for computer account for
CentOS 6 and 7 servers, and was surprised that the pwdLastSet value
for accounts was many months in the past.
So, I took a test CentOS 7 server and set the debug_level up to 7.
What I found was the following (redacted internal details):
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute]
(0x0400): Task [EXAMPLE machine account password renewal]: executing
task, timeout 60 seconds
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler]
(0x1000): Waiting for child [186603].
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler]
(0x0020): child [186603] failed with status [3].
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]]
[ad_machine_account_password_renewal_done] (0x1000): --- adcli output
start---
* Found realm in keytab: EXAMPLE.COM
* Found computer name in keytab: pal062-dev
* Found service principal in keytab: cifs/srv062-dev
* Found service principal in keytab: cifs/srv062-dev.EXAMPLE.COM
* Using fully qualified name: srv062-dev.EXAMPLE.COM
* Using domain name: EXAMPLE.COM
* Calculated computer account name from fqdn: SRV062-DEV
* Using domain realm: EXAMPLE.COM
* Sending netlogon pings to domain controller: cldap://10.20.30.100
* Received NetLogon info from: dc03.EXAMPLE.COM
* Wrote out krb5.conf snippet to
/tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is
! Couldn't get kerberos ticket for machine account: SRV062-DEV:
Keytab contains no suitable keys for SRV062-DEV$(a)EXAMPLE.COM
adcli: couldn't connect to EXAMPLE.COM domain: Couldn't get kerberos
ticket for machine account: SRV062-DEV: Keytab contains no suitable
keys for SRV062-DEV$(a)EXAMPLE.COM
---adcli output end---
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done]
(0x0400): Task [EXAMPLE machine account password renewal]: finished
successfully
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule]
(0x0400): Task [EXAMPLE machine account password renewal]: scheduling
task 60 seconds from last execution time [1535043525]
The server's keytab has:
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
Any ideas what could be wrong? Is it potentially because the keytab
has srv062-dev$ and not SRV062-DEV$ ?
Cheers,
John
--
John Beranek To generalise is to be an idiot.
http://redux.org.uk/ -- William Blake
12:07 p.m.
Please note the one occasion my redacting failed, and the highly
secretive server name "pal062-dev" was not replaced with "srv062-dev"
;)
John
--
John Beranek To generalise is to be an idiot.
http://redux.org.uk/ -- William Blake
2:18 p.m.
On Thu, Aug 23, 2018 at 06:05:19PM +0100, John Beranek wrote:
Hi,
I was just looking in our Active Directory for computer account for
CentOS 6 and 7 servers, and was surprised that the pwdLastSet value
for accounts was many months in the past.
So, I took a test CentOS 7 server and set the debug_level up to 7.
What I found was the following (redacted internal details):
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute]
(0x0400): Task [EXAMPLE machine account password renewal]: executing
task, timeout 60 seconds
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler]
(0x1000): Waiting for child [186603].
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler]
(0x0020): child [186603] failed with status [3].
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]]
[ad_machine_account_password_renewal_done] (0x1000): --- adcli output
start---
* Found realm in keytab: EXAMPLE.COM
* Found computer name in keytab: pal062-dev
* Found service principal in keytab: cifs/srv062-dev
* Found service principal in keytab: cifs/srv062-dev.EXAMPLE.COM
* Using fully qualified name: srv062-dev.EXAMPLE.COM
* Using domain name: EXAMPLE.COM
* Calculated computer account name from fqdn: SRV062-DEV
* Using domain realm: EXAMPLE.COM
* Sending netlogon pings to domain controller: cldap://10.20.30.100
* Received NetLogon info from: dc03.EXAMPLE.COM
* Wrote out krb5.conf snippet to
/tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is
! Couldn't get kerberos ticket for machine account: SRV062-DEV:
Keytab contains no suitable keys for SRV062-DEV$(a)EXAMPLE.COM
adcli: couldn't connect to EXAMPLE.COM domain: Couldn't get kerberos
ticket for machine account: SRV062-DEV: Keytab contains no suitable
keys for SRV062-DEV$(a)EXAMPLE.COM
---adcli output end---
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done]
(0x0400): Task [EXAMPLE machine account password renewal]: finished
successfully
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule]
(0x0400): Task [EXAMPLE machine account password renewal]: scheduling
task 60 seconds from last execution time [1535043525]
The server's keytab has:
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
Any ideas what could be wrong? Is it potentially because the keytab
has srv062-dev$ and not SRV062-DEV$ ?
You are right, adcli unfortunately ignores the lower case version of the
principal in the keytab and prefers to calculate/guess ("Calculated
computer account name from fqdn: SRV062-DEV") it on its own.
I fixed this for the next version of RHEL7.
bye,
Sumit
>
> Cheers,
>
> John
>
> --
> John Beranek To generalise is to be an idiot.
> http://redux.org.uk/ -- William Blake
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...
2:29 p.m.
On Thu, 23 Aug 2018, 20:18 Sumit Bose, wrote:
On Thu, Aug 23, 2018 at 06:05:19PM +0100, John Beranek wrote:
> Hi,
>
> I was just looking in our Active Directory for computer account for
> CentOS 6 and 7 servers, and was surprised that the pwdLastSet value
> for accounts was many months in the past.
>
> So, I took a test CentOS 7 server and set the debug_level up to 7.
> What I found was the following (redacted internal details):
>
> (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute]
> (0x0400): Task [EXAMPLE machine account password renewal]: executing
> task, timeout 60 seconds
> (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler]
> (0x1000): Waiting for child [186603].
> (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler]
> (0x0020): child [186603] failed with status [3].
> (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler]
> (0x0400): EOF received, client finished
> (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]]
> [ad_machine_account_password_renewal_done] (0x1000): --- adcli output
> start---
> * Found realm in keytab: EXAMPLE.COM
> * Found computer name in keytab: pal062-dev
> * Found service principal in keytab: cifs/srv062-dev
> * Found service principal in keytab: cifs/srv062-dev.EXAMPLE.COM
> * Using fully qualified name: srv062-dev.EXAMPLE.COM
> * Using domain name: EXAMPLE.COM
> * Calculated computer account name from fqdn: SRV062-DEV
> * Using domain realm: EXAMPLE.COM
> * Sending netlogon pings to domain controller: cldap://10.20.30.100
> * Received NetLogon info from: dc03.EXAMPLE.COM
> * Wrote out krb5.conf snippet to
> /tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is
> ! Couldn't get kerberos ticket for machine account: SRV062-DEV:
> Keytab contains no suitable keys for SRV062-DEV$(a)EXAMPLE.COM
> adcli: couldn't connect to EXAMPLE.COM domain: Couldn't get kerberos
> ticket for machine account: SRV062-DEV: Keytab contains no suitable
> keys for SRV062-DEV$(a)EXAMPLE.COM
> ---adcli output end---
> (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done]
> (0x0400): Task [EXAMPLE machine account password renewal]: finished
> successfully
> (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule]
> (0x0400): Task [EXAMPLE machine account password renewal]: scheduling
> task 60 seconds from last execution time [1535043525]
>
> The server's keytab has:
>
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -------------------
------------------------------------------------------
> 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
>
> Any ideas what could be wrong? Is it potentially because the keytab
> has srv062-dev$ and not SRV062-DEV$ ?
You are right, adcli unfortunately ignores the lower case version of the
principal in the keytab and prefers to calculate/guess ("Calculated
computer account name from fqdn: SRV062-DEV") it on its own.
I fixed this for the next version of RHEL7.
Is there a way to join the domain with adcli and get the upper case version
then? (Or I wonder if my keytab format is due to a prior use of "net ads
join" - I honestly forget if that's a possibility)
John
4:40 p.m.
On Thu, 23 Aug 2018 at 20:29, John Beranek wrote:
On Thu, 23 Aug 2018, 20:18 Sumit Bose, wrote:
>
> On Thu, Aug 23, 2018 at 06:05:19PM +0100, John Beranek wrote:
> > Hi,
> >
> > I was just looking in our Active Directory for computer account for
> > CentOS 6 and 7 servers, and was surprised that the pwdLastSet value
> > for accounts was many months in the past.
> >
> > So, I took a test CentOS 7 server and set the debug_level up to 7.
> > What I found was the following (redacted internal details):
> >
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute]
> > (0x0400): Task [EXAMPLE machine account password renewal]: executing
> > task, timeout 60 seconds
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler]
> > (0x1000): Waiting for child [186603].
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler]
> > (0x0020): child [186603] failed with status [3].
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler]
> > (0x0400): EOF received, client finished
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]]
> > [ad_machine_account_password_renewal_done] (0x1000): --- adcli output
> > start---
> > * Found realm in keytab: EXAMPLE.COM
> > * Found computer name in keytab: pal062-dev
> > * Found service principal in keytab: cifs/srv062-dev
> > * Found service principal in keytab: cifs/srv062-dev.EXAMPLE.COM
> > * Using fully qualified name: srv062-dev.EXAMPLE.COM
> > * Using domain name: EXAMPLE.COM
> > * Calculated computer account name from fqdn: SRV062-DEV
> > * Using domain realm: EXAMPLE.COM
> > * Sending netlogon pings to domain controller: cldap://10.20.30.100
> > * Received NetLogon info from: dc03.EXAMPLE.COM
> > * Wrote out krb5.conf snippet to
> > /tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is
> > ! Couldn't get kerberos ticket for machine account: SRV062-DEV:
> > Keytab contains no suitable keys for SRV062-DEV$(a)EXAMPLE.COM
> > adcli: couldn't connect to EXAMPLE.COM domain: Couldn't get kerberos
> > ticket for machine account: SRV062-DEV: Keytab contains no suitable
> > keys for SRV062-DEV$(a)EXAMPLE.COM
> > ---adcli output end---
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done]
> > (0x0400): Task [EXAMPLE machine account password renewal]: finished
> > successfully
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule]
> > (0x0400): Task [EXAMPLE machine account password renewal]: scheduling
> > task 60 seconds from last execution time [1535043525]
> >
> > The server's keytab has:
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Timestamp Principal
> > ---- ------------------- ------------------------------------------------------
> > 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> >
> > Any ideas what could be wrong? Is it potentially because the keytab
> > has srv062-dev$ and not SRV062-DEV$ ?
>
> You are right, adcli unfortunately ignores the lower case version of the
> principal in the keytab and prefers to calculate/guess ("Calculated
> computer account name from fqdn: SRV062-DEV") it on its own.
>
> I fixed this for the next version of RHEL7.
Is there a way to join the domain with adcli and get the upper case version then? (Or I
wonder if my keytab format is due to a prior use of "net ads join" - I honestly
forget if that's a possibility)
So, I answered my own question...I rejoined the domain using adcli,
and my keytab now has the upper-case version, and the password change
from sssd appears to be functioning correctly now.
The Samba server on the server is also working for now, so fingers crossed!
John
--
John Beranek To generalise is to be an idiot.
http://redux.org.uk/ -- William Blake
2072
days inactive
2072
days old
sssd-users@lists.fedorahosted.org
4 comments
2 participants
participants (2)
-
John Beranek -
Sumit Bose