On Thu, 23 Aug 2018, 20:18 Sumit Bose, wrote:
>
> On Thu, Aug 23, 2018 at 06:05:19PM +0100, John Beranek wrote:
> > Hi,
> >
> > I was just looking in our Active Directory for computer account for
> > CentOS 6 and 7 servers, and was surprised that the pwdLastSet value
> > for accounts was many months in the past.
> >
> > So, I took a test CentOS 7 server and set the debug_level up to 7.
> > What I found was the following (redacted internal details):
> >
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute]
> > (0x0400): Task [EXAMPLE machine account password renewal]: executing
> > task, timeout 60 seconds
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler]
> > (0x1000): Waiting for child [186603].
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler]
> > (0x0020): child [186603] failed with status [3].
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler]
> > (0x0400): EOF received, client finished
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]]
> > [ad_machine_account_password_renewal_done] (0x1000): --- adcli output
> > start---
> > * Found realm in keytab:
EXAMPLE.COM
> > * Found computer name in keytab: pal062-dev
> > * Found service principal in keytab: cifs/srv062-dev
> > * Found service principal in keytab:
cifs/srv062-dev.EXAMPLE.COM
> > * Using fully qualified name:
srv062-dev.EXAMPLE.COM
> > * Using domain name:
EXAMPLE.COM
> > * Calculated computer account name from fqdn: SRV062-DEV
> > * Using domain realm:
EXAMPLE.COM
> > * Sending netlogon pings to domain controller: cldap://10.20.30.100
> > * Received NetLogon info from:
dc03.EXAMPLE.COM
> > * Wrote out krb5.conf snippet to
> > /tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is
> > ! Couldn't get kerberos ticket for machine account: SRV062-DEV:
> > Keytab contains no suitable keys for SRV062-DEV$(a)EXAMPLE.COM
> > adcli: couldn't connect to
EXAMPLE.COM domain: Couldn't get kerberos
> > ticket for machine account: SRV062-DEV: Keytab contains no suitable
> > keys for SRV062-DEV$(a)EXAMPLE.COM
> > ---adcli output end---
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done]
> > (0x0400): Task [EXAMPLE machine account password renewal]: finished
> > successfully
> > (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule]
> > (0x0400): Task [EXAMPLE machine account password renewal]: scheduling
> > task 60 seconds from last execution time [1535043525]
> >
> > The server's keytab has:
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Timestamp Principal
> > ---- ------------------- ------------------------------------------------------
> > 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 srv062-dev$(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> > 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt(a)EXAMPLE.COM
> >
> > Any ideas what could be wrong? Is it potentially because the keytab
> > has srv062-dev$ and not SRV062-DEV$ ?
>
> You are right, adcli unfortunately ignores the lower case version of the
> principal in the keytab and prefers to calculate/guess ("Calculated
> computer account name from fqdn: SRV062-DEV") it on its own.
>
> I fixed this for the next version of RHEL7.
Is there a way to join the domain with adcli and get the upper case version then? (Or I
wonder if my keytab format is due to a prior use of "net ads join" - I honestly
forget if that's a possibility)
So, I answered my own question...I rejoined the domain using adcli,
and my keytab now has the upper-case version, and the password change
from sssd appears to be functioning correctly now.
The Samba server on the server is also working for now, so fingers crossed!
John
--
John Beranek To generalise is to be an idiot.