I am having a frustrating time trying to figure out what is going on with these Ubuntu servers. I have tried to use msktutil as some have suggested, but this hasn't worked for me. Every 7 days on the mark I lose my domain connection and have to run realm leave/realm join again. I ran msktutil the day before the ticket was about to expire, so it should have worked. This is only a problem on Ubuntu, CentOS works perfectly fine. I even have one Ubuntu server that works.
I also have the problem that the sssd init script, wherever that is now, sometimes thinks that sssd is still running and won't start again. I then have to run 'sssd -D' if I don't want to restart the server.
This is what I get running msktutil. msktutil --auto-update --verbose: -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 86 -- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP) -- get_dc_host: Found DC: udc05.ad.mydomain.com -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: udc05.ad.mydomain.com -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-TSzpEQ -- reload: Reloading Kerberos Context -- get_short_hostname: Determined short hostname: myserver-domain-foo-com Error: The SAM name (myserver-domain-foo-com$) for this host is longer than the maximum of MAX_SAM_ACCOUNT_LEN characters You can specify a shorter name using --computer-name -- ~KRB5Context: Destroying Kerberos Context
This appears to have worked, but it didn't. msktutil --update --computer-name MYSERVER --verbose: -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 82 -- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP) -- get_dc_host: Found DC: udc05.ad.mydomain.com -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: udc05.ad.mydomain.com -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ozv4A6 -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: MYSERVER$ -- try_machine_keytab_princ: Trying to authenticate for MYSERVER$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ewj6uW -- finalize_exec: Authenticated using method 1
-- ldap_connect: Connecting to LDAP server: udc05.ad.mydomain.com try_tls=YES -- ldap_connect: Connecting to LDAP server: udc05.ad.mydomain.com try_tls=NO SASL/GSSAPI authentication started SASL username: MYSERVER$@AD.MYDOMAIN.COM SASL SSF: 56 SASL data security layer installed. -- ldap_connect: LDAP_OPT_X_SASL_SSF=56
This is what I think is the pertinent portions of the logs from when the computer cant connect anymore. sssd_ad.mydomain.com.log: (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on [0] (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed) (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'udc02.ad.mydomain.com' as 'not working' (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'udc02.ad.mydomain.com' as 'not working'
syslog: Nov 4 15:26:09 myserver [sssd[ldap_child[25833]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. Nov 4 15:26:09 myserver [sssd[ldap_child[25833]]]: Preauthentication failed
Any help is appreciated.
sssd-users@lists.fedorahosted.org