Automatic Kerberos Host Keytab Renewal with SSSD

active-directorykerberossssd

Has anyone here seen their Linux servers removed from AD domain due to expired machine credentials?
We are using AD authentication with sssd-1.13.3-56.el6 (Centos 6)

Per "https://bugzilla.redhat.com/show_bug.cgi?id=1290761", sssd should be able to auto renew host credentials.
There is no mention of any extra configuration steps that should be taken while joining the AD per related the Red Hat documentation ("Integrating Red Hat Enterprise Linux 6 with
Active Directory").

Per my search, some do run cron jobs to renew host credentials
"https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/CRA43XHHDBPAENAYJ3INUWSCE2Q2NB5W/"

SSSD Kerberos AD Centos troubleshooting

Do we need a cron job to run:
"msktutil –auto-update" and "kinit -k $"?

Or sssd should be able to handle this?

Do you set "ad_maximum_machine_account_password_age" in sssd.conf or leave it out for default 30 days.

Cheers,

UPDATE:
@jhrozek , Thank you for your comment.
I am still seeing same issue with my configuration.
Looks like ticket did not get renewed on May 28th and server dropped out of domain: 

    # net ads testjoin   
kerberos_kinit_password I-12345CV3EABF$@STAGE.example.com failed: Preauthentication failed     
kerberos_kinit_password I-12345CV3EABF$@STAGE.example.com failed: Preauthentication failed     
Join to domain is not valid: Logon failure

Keytab status:

# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com
   2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com
   2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com
   2 04/28/17 02:57:55 host/I-12345CV3EABF@STAGE.example.com
   2 04/28/17 02:57:55 host/I-12345CV3EABF@STAGE.example.com
   2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
   2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
   2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
   2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
   2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
   3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
   3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
   3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
   3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com

Does this look like it renewed a ticket on 5/28 but somehow got server account deleted?

SSSD & ADCLI packages installed:

# rpm -qa | grep sssd
sssd-client-1.13.3-56.el6.x86_64
sssd-ipa-1.13.3-56.el6.x86_64
sssd-proxy-1.13.3-56.el6.x86_64
python-sssdconfig-1.13.3-56.el6.noarch
sssd-common-pac-1.13.3-56.el6.x86_64
sssd-krb5-1.13.3-56.el6.x86_64
sssd-krb5-common-1.13.3-56.el6.x86_64
sssd-ldap-1.13.3-56.el6.x86_64
sssd-common-1.13.3-56.el6.x86_64
sssd-ad-1.13.3-56.el6.x86_64
sssd-1.13.3-56.el6.x86_64


# rpm -qa | grep adcli
adcli-0.8.1-1.el6.x86_64

And, sssd.conf:

[sssd]
domains = stage.example.com
services = nss, pam, ssh
config_file_version = 2
default_domain_suffix = main.example.com
full_name_format = %1$s@%2$s

re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))

[domain/stage.example.com
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
cache_credentials = false
ad_domain = stage.example.com
ldap_id_mapping = true
krb5_realm = STAGE.example.com
default_shell = /bin/bash
ad_gpo_access_control = permissive
override_homedir = /home/admin/%u

And krb5.conf:

[logging]


default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = STAGE.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = true


clockskew = true
proxiable = true

[realms]

 STAGE.EXAMPLE.COM = {
  kdc = 172.31.1.252
  kdc = 172.31.0.252

  admin_server = 172.31.1.252
  admin_server = 172.31.0.252
 }

[domain_realm]
 stage.example.com = STAGE.EXAMPLE.COM
 .stage.example.com = STAGE.EXAMPLE.COM

Any suggestions to troubleshoot this?

Best Answer

This should happen automatically, but you need to install adcli. sssd just forks and execs adcli in order to perform the update.

Related Topic