Automatic Kerberos Host Keytab Renewal with SSSD

active-directory sssd kerberos

Has anyone here seen their Linux servers removed from AD domain due to expired machine credentials? We are using AD authentication with sssd-1.13.3-56.el6 (Centos 6)

Per "https://bugzilla.redhat.com/show_bug.cgi?id=1290761", sssd should be able to auto renew host credentials. There is no mention of any extra configuration steps that should be taken while joining the AD per related the Red Hat documentation ("Integrating Red Hat Enterprise Linux 6 with Active Directory").

Per my search, some do run cron jobs to renew host credentials "https://lists.fedorahosted.org/archives/list/[email protected]/thread/CRA43XHHDBPAENAYJ3INUWSCE2Q2NB5W/"

SSSD Kerberos AD Centos troubleshooting

Do we need a cron job to run: "msktutil --auto-update" and "kinit -k $"?

Or sssd should be able to handle this?

Do you set "ad_maximum_machine_account_password_age" in sssd.conf or leave it out for default 30 days.

Cheers,

UPDATE: @jhrozek , Thank you for your comment.
I am still seeing same issue with my configuration.
Looks like ticket did not get renewed on May 28th and server dropped out of domain: 

    # net ads testjoin   
kerberos_kinit_password [email protected] failed: Preauthentication failed     
kerberos_kinit_password [email protected] failed: Preauthentication failed     
Join to domain is not valid: Logon failure

Keytab status:

# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:55 host/[email protected]
   2 04/28/17 02:57:55 host/[email protected]
   2 04/28/17 02:57:55 [email protected]
   2 04/28/17 02:57:55 [email protected]
   2 04/28/17 02:57:55 [email protected]
   2 04/28/17 02:57:55 [email protected]
   2 04/28/17 02:57:55 [email protected]
   3 05/28/17 14:01:39 [email protected]
   3 05/28/17 14:01:39 [email protected]
   3 05/28/17 14:01:39 [email protected]
   3 05/28/17 14:01:39 [email protected]
   3 05/28/17 14:01:39 [email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]

Does this look like it renewed a ticket on 5/28 but somehow got server account deleted?

SSSD & ADCLI packages installed:

# rpm -qa | grep sssd
sssd-client-1.13.3-56.el6.x86_64
sssd-ipa-1.13.3-56.el6.x86_64
sssd-proxy-1.13.3-56.el6.x86_64
python-sssdconfig-1.13.3-56.el6.noarch
sssd-common-pac-1.13.3-56.el6.x86_64
sssd-krb5-1.13.3-56.el6.x86_64
sssd-krb5-common-1.13.3-56.el6.x86_64
sssd-ldap-1.13.3-56.el6.x86_64
sssd-common-1.13.3-56.el6.x86_64
sssd-ad-1.13.3-56.el6.x86_64
sssd-1.13.3-56.el6.x86_64


# rpm -qa | grep adcli
adcli-0.8.1-1.el6.x86_64

And, sssd.conf:

[sssd]
domains = stage.example.com
services = nss, pam, ssh
config_file_version = 2
default_domain_suffix = main.example.com
full_name_format = %1$s@%2$s

re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))

[domain/stage.example.com
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
cache_credentials = false
ad_domain = stage.example.com
ldap_id_mapping = true
krb5_realm = STAGE.example.com
default_shell = /bin/bash
ad_gpo_access_control = permissive
override_homedir = /home/admin/%u

And krb5.conf:

[logging]


default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = STAGE.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = true


clockskew = true
proxiable = true

[realms]

 STAGE.EXAMPLE.COM = {
  kdc = 172.31.1.252
  kdc = 172.31.0.252

  admin_server = 172.31.1.252
  admin_server = 172.31.0.252
 }

[domain_realm]
 stage.example.com = STAGE.EXAMPLE.COM
 .stage.example.com = STAGE.EXAMPLE.COM

Any suggestions to troubleshoot this?


This should happen automatically, but you need to install adcli. sssd just forks and execs adcli in order to perform the update.


I just figured out what my problem was after having this issue for months.

I didn't name my server server.my.domain.com and instead it was just server. After changing the name, leaving and rejoining the realm, adcli update runs without a problem.


You may also want to configure your AD server(s) as the source of NTP time, because if your client machines' clocks get too far out of sync they will fail to authenticate/renew and this may happen a lot more often now that everything is virtualized without their own RTC hardware.

Related

rsyslog: How do I split the events in a log file into separate files if it contains a keyword?
It is enough secure enabling WireCrypt when connecting over internet
How do I setup an Ookla server for speed test?
What is the overhead of ZFS RAIDz1/2 in HPC SSD Environment?
Postfix not receiving bounce mails
App engine Instances placement
Ansible PHP Update with zypper (with vendor change)
iPhone stuck on Connect to iTunes [duplicate]
Why I'm getting "macOS can't repair the disk" [duplicate]
Cannot unmount external HDD. Only "force unmount" works
Can I make all viewable windows active (responsive to mouse clicks)? [duplicate]
Can't download or update apps [duplicate]