I'm encountering a strange problem on some of my Ubuntu 14.0.4 LTS servers. I have yet to encounter the same problem on any of the CentOS or RHEL6/7 servers.
After a few days of working fine, all of the sudden users can't log in. I can fix the problem easily by using 'realm leave' and 'realm join', but this isn't optimal since users can go a day or two before it gets fixed. I thought at first it was clock drift causing a problem with the Kerberos ticket, but this last time I made sure to check the date before I rejoined the realm.
Oct 19 10:16:30 myserver [sssd[ldap_child[19092]]]: Preauthentication failed Oct 19 10:16:31 myserver [sssd[ldap_child[19093]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
sssd 1.12.5
Any ideas?
On Mon, Oct 19, 2015 at 08:18:39PM +0000, Thackeray, Neil L wrote:
I'm encountering a strange problem on some of my Ubuntu 14.0.4 LTS servers. I have yet to encounter the same problem on any of the CentOS or RHEL6/7 servers.
After a few days of working fine, all of the sudden users can't log in. I can fix the problem easily by using 'realm leave' and 'realm join', but this isn't optimal since users can go a day or two before it gets fixed. I thought at first it was clock drift causing a problem with the Kerberos ticket, but this last time I made sure to check the date before I rejoined the realm.
Oct 19 10:16:30 myserver [sssd[ldap_child[19092]]]: Preauthentication failed Oct 19 10:16:31 myserver [sssd[ldap_child[19093]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
sssd 1.12.5
Preauthentication failed normally means wrong password, in this case wrong keytab. I guess you would see the same error if you run kinit -k "SHORTNAME$" (you can see the shortname in ldap_child.log as well..)
Are you sure your domain policies don't expire machine passwords after some time?
On Tue, Oct 20, 2015 at 09:19:31AM +0200, Jakub Hrozek wrote:
On Mon, Oct 19, 2015 at 08:18:39PM +0000, Thackeray, Neil L wrote:
I'm encountering a strange problem on some of my Ubuntu 14.0.4 LTS servers. I have yet to encounter the same problem on any of the CentOS or RHEL6/7 servers.
After a few days of working fine, all of the sudden users can't log in. I can fix the problem easily by using 'realm leave' and 'realm join', but this isn't optimal since users can go a day or two before it gets fixed. I thought at first it was clock drift causing a problem with the Kerberos ticket, but this last time I made sure to check the date before I rejoined the realm.
Oct 19 10:16:30 myserver [sssd[ldap_child[19092]]]: Preauthentication failed Oct 19 10:16:31 myserver [sssd[ldap_child[19093]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
sssd 1.12.5
Preauthentication failed normally means wrong password, in this case wrong keytab. I guess you would see the same error if you run kinit -k "SHORTNAME$" (you can see the shortname in ldap_child.log as well..)
Are you sure your domain policies don't expire machine passwords after some time?
I'm pretty sure there is a domain policy active which forces the clients to renew their password regularly and https://fedorahosted.org/sssd/ticket/1041 would be the related ticket for the. Until this is fixed it might help to run msktutil from a cronjob.
HTH
bye, Sumit
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Oct 20, 2015 at 09:41:16AM +0200, Sumit Bose wrote:
On Tue, Oct 20, 2015 at 09:19:31AM +0200, Jakub Hrozek wrote:
On Mon, Oct 19, 2015 at 08:18:39PM +0000, Thackeray, Neil L wrote:
I'm encountering a strange problem on some of my Ubuntu 14.0.4 LTS servers. I have yet to encounter the same problem on any of the CentOS or RHEL6/7 servers.
After a few days of working fine, all of the sudden users can't log in. I can fix the problem easily by using 'realm leave' and 'realm join', but this isn't optimal since users can go a day or two before it gets fixed. I thought at first it was clock drift causing a problem with the Kerberos ticket, but this last time I made sure to check the date before I rejoined the realm.
Oct 19 10:16:30 myserver [sssd[ldap_child[19092]]]: Preauthentication failed Oct 19 10:16:31 myserver [sssd[ldap_child[19093]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
sssd 1.12.5
Preauthentication failed normally means wrong password, in this case wrong keytab. I guess you would see the same error if you run kinit -k "SHORTNAME$" (you can see the shortname in ldap_child.log as well..)
Are you sure your domain policies don't expire machine passwords after some time?
I'm pretty sure there is a domain policy active which forces the clients to renew their password regularly and https://fedorahosted.org/sssd/ticket/1041 would be the related ticket for the. Until this is fixed it might help to run msktutil from a cronjob.
It looks like Ubuntu 14.0.4 has a packaged version of msktutil. I created a copr repo with a quite recent release at https://copr.fedoraproject.org/coprs/sbose/msktutil/ . So far I didn't run any tests with those packages so any feedback is welcome.
bye, Sumit
HTH
bye, Sumit
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
The machines passwords do change, but there are just a couple machines that seem to be having this problem so far. The default for AD machine accounts is to change passwords every 30 days, so I have to think there is something going on with this machine that it is losing its trust with the AD realm.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Sumit Bose Sent: Tuesday, October 20, 2015 5:23 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Weird keytab issue
On Tue, Oct 20, 2015 at 09:41:16AM +0200, Sumit Bose wrote:
On Tue, Oct 20, 2015 at 09:19:31AM +0200, Jakub Hrozek wrote:
On Mon, Oct 19, 2015 at 08:18:39PM +0000, Thackeray, Neil L wrote:
I'm encountering a strange problem on some of my Ubuntu 14.0.4 LTS servers. I have yet to encounter the same problem on any of the CentOS or RHEL6/7 servers.
After a few days of working fine, all of the sudden users can't log in. I can fix the problem easily by using 'realm leave' and 'realm join', but this isn't optimal since users can go a day or two before it gets fixed. I thought at first it was clock drift causing a problem with the Kerberos ticket, but this last time I made sure to check the date before I rejoined the realm.
Oct 19 10:16:30 myserver [sssd[ldap_child[19092]]]: Preauthentication failed Oct 19 10:16:31 myserver [sssd[ldap_child[19093]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
sssd 1.12.5
Preauthentication failed normally means wrong password, in this case wrong keytab. I guess you would see the same error if you run kinit -k "SHORTNAME$" (you can see the shortname in ldap_child.log as well..)
Are you sure your domain policies don't expire machine passwords after some time?
I'm pretty sure there is a domain policy active which forces the clients to renew their password regularly and https://fedorahosted.org/sssd/ticket/1041 would be the related ticket for the. Until this is fixed it might help to run msktutil from a cronjob.
It looks like Ubuntu 14.0.4 has a packaged version of msktutil. I created a copr repo with a quite recent release at https://copr.fedoraproject.org/coprs/sbose/msktutil/ . So far I didn't run any tests with those packages so any feedback is welcome.
bye, Sumit
HTH
bye, Sumit
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org