Page 1 of 1

Ldap authentication sync issue with AD

Posted: 2019/06/17 18:46:58
by quqonlik
Hello,

If someone could help me with this issue. We had an issue with website and we had to reverted back server to snapshot image which it is four months old. This server uses LDAP and AD authentication. After we reverted back to older snapshot image I started to see sssd errors:

"Jun 17 13:11:52 server.example.com [sssd[ldap_child[31019]]][31019]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection."

It was working fine and no recent configuration changes on SSSD side

Any suggestion ?

Thank you!

Re: Ldap authentication sync issue with AD

Posted: 2019/06/18 18:56:54
by aks

Code: Select all

If someone could help me with this issue.
Probably not.
It kind of sounds like the keys have rotated and what is now (in memory, originally from disk) is invalid after all this time (4 months).

Re: Ldap authentication sync issue with AD

Posted: 2019/06/19 18:35:45
by esokolowski
Common issue when the account you used to join the linux client to the windows domain has an expired password.

i.e. - you probably typed something like >> realm join -U [username] [domain]

Well, the 'username' should be a generic account...like "LDAP_ACCT" and it should not have an expiring password.

Rejoin your linux client to your domain with this new account and the GSSAPI error will go away.

-E-

Re: Ldap authentication sync issue with AD

Posted: 2019/06/27 16:48:10
by quqonlik
I rejoined the this host to AD domain and previous errors are gone but :

realm join -v --computer-name=ADSERVER.COM --user=me_admin adserver.com

And getting the following error:

Jun 25 10:42:45 adserver.com sssd[12129]: ; TSIG error with server: tsig verify failure
Jun 25 10:42:45 adserver.com sssd[12129]: update failed: REFUSED

Trying to switch to AD existing user


su - me_admin

no such user exists

TSIG error related with clock syncing ?

Re: Ldap authentication sync issue with AD

Posted: 2019/06/28 05:59:53
by hunter86_bg
Better rejoin the linux system . Most probably the KVNO of the keytab is different than the KVNO on the AD.

Re: Ldap authentication sync issue with AD

Posted: 2020/10/29 19:08:41
by laci
I'm seeing the same issue on a fresh 7.8 install, has anyone found a fix?
I have tried re-joining it, didn't help