Hi,
I was just looking in our Active Directory for computer account for CentOS 6 and 7 servers, and was surprised that the pwdLastSet value for accounts was many months in the past.
So, I took a test CentOS 7 server and set the debug_level up to 7. What I found was the following (redacted internal details):
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute] (0x0400): Task [EXAMPLE machine account password renewal]: executing task, timeout 60 seconds (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] (0x1000): Waiting for child [186603]. (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] (0x0020): child [186603] failed with status [3]. (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start--- * Found realm in keytab: EXAMPLE.COM * Found computer name in keytab: pal062-dev * Found service principal in keytab: cifs/srv062-dev * Found service principal in keytab: cifs/srv062-dev.EXAMPLE.COM * Using fully qualified name: srv062-dev.EXAMPLE.COM * Using domain name: EXAMPLE.COM * Calculated computer account name from fqdn: SRV062-DEV * Using domain realm: EXAMPLE.COM * Sending netlogon pings to domain controller: cldap://10.20.30.100 * Received NetLogon info from: dc03.EXAMPLE.COM * Wrote out krb5.conf snippet to /tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is ! Couldn't get kerberos ticket for machine account: SRV062-DEV: Keytab contains no suitable keys for SRV062-DEV$@EXAMPLE.COM adcli: couldn't connect to EXAMPLE.COM domain: Couldn't get kerberos ticket for machine account: SRV062-DEV: Keytab contains no suitable keys for SRV062-DEV$@EXAMPLE.COM ---adcli output end--- (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done] (0x0400): Task [EXAMPLE machine account password renewal]: finished successfully (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule] (0x0400): Task [EXAMPLE machine account password renewal]: scheduling task 60 seconds from last execution time [1535043525]
The server's keytab has:
Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM
Any ideas what could be wrong? Is it potentially because the keytab has srv062-dev$ and not SRV062-DEV$ ?
Cheers,
John
Please note the one occasion my redacting failed, and the highly secretive server name "pal062-dev" was not replaced with "srv062-dev" ;)
John
On Thu, Aug 23, 2018 at 06:05:19PM +0100, John Beranek wrote:
Hi,
I was just looking in our Active Directory for computer account for CentOS 6 and 7 servers, and was surprised that the pwdLastSet value for accounts was many months in the past.
So, I took a test CentOS 7 server and set the debug_level up to 7. What I found was the following (redacted internal details):
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute] (0x0400): Task [EXAMPLE machine account password renewal]: executing task, timeout 60 seconds (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] (0x1000): Waiting for child [186603]. (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] (0x0020): child [186603] failed with status [3]. (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
- Found realm in keytab: EXAMPLE.COM
- Found computer name in keytab: pal062-dev
- Found service principal in keytab: cifs/srv062-dev
- Found service principal in keytab: cifs/srv062-dev.EXAMPLE.COM
- Using fully qualified name: srv062-dev.EXAMPLE.COM
- Using domain name: EXAMPLE.COM
- Calculated computer account name from fqdn: SRV062-DEV
- Using domain realm: EXAMPLE.COM
- Sending netlogon pings to domain controller: cldap://10.20.30.100
- Received NetLogon info from: dc03.EXAMPLE.COM
- Wrote out krb5.conf snippet to
/tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is ! Couldn't get kerberos ticket for machine account: SRV062-DEV: Keytab contains no suitable keys for SRV062-DEV$@EXAMPLE.COM adcli: couldn't connect to EXAMPLE.COM domain: Couldn't get kerberos ticket for machine account: SRV062-DEV: Keytab contains no suitable keys for SRV062-DEV$@EXAMPLE.COM ---adcli output end--- (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done] (0x0400): Task [EXAMPLE machine account password renewal]: finished successfully (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule] (0x0400): Task [EXAMPLE machine account password renewal]: scheduling task 60 seconds from last execution time [1535043525]
The server's keytab has:
Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM
Any ideas what could be wrong? Is it potentially because the keytab has srv062-dev$ and not SRV062-DEV$ ?
You are right, adcli unfortunately ignores the lower case version of the principal in the keytab and prefers to calculate/guess ("Calculated computer account name from fqdn: SRV062-DEV") it on its own.
I fixed this for the next version of RHEL7.
bye, Sumit
Cheers,
John
-- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
On Thu, 23 Aug 2018, 20:18 Sumit Bose, wrote:
On Thu, Aug 23, 2018 at 06:05:19PM +0100, John Beranek wrote:
Hi,
I was just looking in our Active Directory for computer account for CentOS 6 and 7 servers, and was surprised that the pwdLastSet value for accounts was many months in the past.
So, I took a test CentOS 7 server and set the debug_level up to 7. What I found was the following (redacted internal details):
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute] (0x0400): Task [EXAMPLE machine account password renewal]: executing task, timeout 60 seconds (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] (0x1000): Waiting for child [186603]. (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] (0x0020): child [186603] failed with status [3]. (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
- Found realm in keytab: EXAMPLE.COM
- Found computer name in keytab: pal062-dev
- Found service principal in keytab: cifs/srv062-dev
- Found service principal in keytab: cifs/srv062-dev.EXAMPLE.COM
- Using fully qualified name: srv062-dev.EXAMPLE.COM
- Using domain name: EXAMPLE.COM
- Calculated computer account name from fqdn: SRV062-DEV
- Using domain realm: EXAMPLE.COM
- Sending netlogon pings to domain controller: cldap://10.20.30.100
- Received NetLogon info from: dc03.EXAMPLE.COM
- Wrote out krb5.conf snippet to
/tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is ! Couldn't get kerberos ticket for machine account: SRV062-DEV: Keytab contains no suitable keys for SRV062-DEV$@EXAMPLE.COM adcli: couldn't connect to EXAMPLE.COM domain: Couldn't get kerberos ticket for machine account: SRV062-DEV: Keytab contains no suitable keys for SRV062-DEV$@EXAMPLE.COM ---adcli output end--- (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done] (0x0400): Task [EXAMPLE machine account password renewal]: finished successfully (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule] (0x0400): Task [EXAMPLE machine account password renewal]: scheduling task 60 seconds from last execution time [1535043525]
The server's keytab has:
Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM
Any ideas what could be wrong? Is it potentially because the keytab has srv062-dev$ and not SRV062-DEV$ ?
You are right, adcli unfortunately ignores the lower case version of the principal in the keytab and prefers to calculate/guess ("Calculated computer account name from fqdn: SRV062-DEV") it on its own.
I fixed this for the next version of RHEL7.
Is there a way to join the domain with adcli and get the upper case version then? (Or I wonder if my keytab format is due to a prior use of "net ads join" - I honestly forget if that's a possibility)
John
On Thu, 23 Aug 2018 at 20:29, John Beranek wrote:
On Thu, 23 Aug 2018, 20:18 Sumit Bose, wrote:
On Thu, Aug 23, 2018 at 06:05:19PM +0100, John Beranek wrote:
Hi,
I was just looking in our Active Directory for computer account for CentOS 6 and 7 servers, and was surprised that the pwdLastSet value for accounts was many months in the past.
So, I took a test CentOS 7 server and set the debug_level up to 7. What I found was the following (redacted internal details):
(Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_execute] (0x0400): Task [EXAMPLE machine account password renewal]: executing task, timeout 60 seconds (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] (0x1000): Waiting for child [186603]. (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [child_sig_handler] (0x0020): child [186603] failed with status [3]. (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
- Found realm in keytab: EXAMPLE.COM
- Found computer name in keytab: pal062-dev
- Found service principal in keytab: cifs/srv062-dev
- Found service principal in keytab: cifs/srv062-dev.EXAMPLE.COM
- Using fully qualified name: srv062-dev.EXAMPLE.COM
- Using domain name: EXAMPLE.COM
- Calculated computer account name from fqdn: SRV062-DEV
- Using domain realm: EXAMPLE.COM
- Sending netlogon pings to domain controller: cldap://10.20.30.100
- Received NetLogon info from: dc03.EXAMPLE.COM
- Wrote out krb5.conf snippet to
/tmp/adcli-krb5-UWvCeO/krb5.d/adcli-krb5-conf-9dw0Is ! Couldn't get kerberos ticket for machine account: SRV062-DEV: Keytab contains no suitable keys for SRV062-DEV$@EXAMPLE.COM adcli: couldn't connect to EXAMPLE.COM domain: Couldn't get kerberos ticket for machine account: SRV062-DEV: Keytab contains no suitable keys for SRV062-DEV$@EXAMPLE.COM ---adcli output end--- (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_done] (0x0400): Task [EXAMPLE machine account password renewal]: finished successfully (Thu Aug 23 17:57:45 2018) [sssd[be[EXAMPLE]]] [be_ptask_schedule] (0x0400): Task [EXAMPLE machine account password renewal]: scheduling task 60 seconds from last execution time [1535043525]
The server's keytab has:
Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 srv062-dev$@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM 23 03/15/2018 09:59:33 cifs/srv062-dev.ad.pvt@EXAMPLE.COM
Any ideas what could be wrong? Is it potentially because the keytab has srv062-dev$ and not SRV062-DEV$ ?
You are right, adcli unfortunately ignores the lower case version of the principal in the keytab and prefers to calculate/guess ("Calculated computer account name from fqdn: SRV062-DEV") it on its own.
I fixed this for the next version of RHEL7.
Is there a way to join the domain with adcli and get the upper case version then? (Or I wonder if my keytab format is due to a prior use of "net ads join" - I honestly forget if that's a possibility)
So, I answered my own question...I rejoined the domain using adcli, and my keytab now has the upper-case version, and the password change from sssd appears to be functioning correctly now.
The Samba server on the server is also working for now, so fingers crossed!
John
sssd-users@lists.fedorahosted.org