Ldap authentication sync issue with AD

General support questions
Post Reply
quqonlik
Posts: 14
Joined: 2019/01/19 23:29:32

Ldap authentication sync issue with AD

Post by quqonlik » 2019/06/17 18:46:58

Hello,

If someone could help me with this issue. We had an issue with website and we had to reverted back server to snapshot image which it is four months old. This server uses LDAP and AD authentication. After we reverted back to older snapshot image I started to see sssd errors:

"Jun 17 13:11:52 server.example.com [sssd[ldap_child[31019]]][31019]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection."

It was working fine and no recent configuration changes on SSSD side

Any suggestion ?

Thank you!

aks
Posts: 2731
Joined: 2014/09/20 11:22:14

Re: Ldap authentication sync issue with AD

Post by aks » 2019/06/18 18:56:54

Code: Select all

If someone could help me with this issue.
Probably not.
It kind of sounds like the keys have rotated and what is now (in memory, originally from disk) is invalid after all this time (4 months).

esokolowski
Posts: 6
Joined: 2019/06/19 17:14:21

Re: Ldap authentication sync issue with AD

Post by esokolowski » 2019/06/19 18:35:45

Common issue when the account you used to join the linux client to the windows domain has an expired password.

i.e. - you probably typed something like >> realm join -U [username] [domain]

Well, the 'username' should be a generic account...like "LDAP_ACCT" and it should not have an expiring password.

Rejoin your linux client to your domain with this new account and the GSSAPI error will go away.

-E-

quqonlik
Posts: 14
Joined: 2019/01/19 23:29:32

Re: Ldap authentication sync issue with AD

Post by quqonlik » 2019/06/27 16:48:10

I rejoined the this host to AD domain and previous errors are gone but :

realm join -v --computer-name=ADSERVER.COM --user=me_admin adserver.com

And getting the following error:

Jun 25 10:42:45 adserver.com sssd[12129]: ; TSIG error with server: tsig verify failure
Jun 25 10:42:45 adserver.com sssd[12129]: update failed: REFUSED

Trying to switch to AD existing user


su - me_admin

no such user exists

TSIG error related with clock syncing ?

hunter86_bg
Posts: 1789
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Ldap authentication sync issue with AD

Post by hunter86_bg » 2019/06/28 05:59:53

Better rejoin the linux system . Most probably the KVNO of the keytab is different than the KVNO on the AD.

Post Reply