Hello,
If someone could help me with this issue. We had an issue with website and we had to reverted back server to snapshot image which it is four months old. This server uses LDAP and AD authentication. After we reverted back to older snapshot image I started to see sssd errors:
"Jun 17 13:11:52 server.example.com [sssd[ldap_child[31019]]][31019]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection."
It was working fine and no recent configuration changes on SSSD side
Any suggestion ?
Thank you!
Ldap authentication sync issue with AD
Re: Ldap authentication sync issue with AD
Code: Select all
If someone could help me with this issue.
It kind of sounds like the keys have rotated and what is now (in memory, originally from disk) is invalid after all this time (4 months).
-
- Posts: 6
- Joined: 2019/06/19 17:14:21
Re: Ldap authentication sync issue with AD
Common issue when the account you used to join the linux client to the windows domain has an expired password.
i.e. - you probably typed something like >> realm join -U [username] [domain]
Well, the 'username' should be a generic account...like "LDAP_ACCT" and it should not have an expiring password.
Rejoin your linux client to your domain with this new account and the GSSAPI error will go away.
-E-
i.e. - you probably typed something like >> realm join -U [username] [domain]
Well, the 'username' should be a generic account...like "LDAP_ACCT" and it should not have an expiring password.
Rejoin your linux client to your domain with this new account and the GSSAPI error will go away.
-E-
Re: Ldap authentication sync issue with AD
I rejoined the this host to AD domain and previous errors are gone but :
realm join -v --computer-name=ADSERVER.COM --user=me_admin adserver.com
And getting the following error:
Jun 25 10:42:45 adserver.com sssd[12129]: ; TSIG error with server: tsig verify failure
Jun 25 10:42:45 adserver.com sssd[12129]: update failed: REFUSED
Trying to switch to AD existing user
su - me_admin
no such user exists
TSIG error related with clock syncing ?
realm join -v --computer-name=ADSERVER.COM --user=me_admin adserver.com
And getting the following error:
Jun 25 10:42:45 adserver.com sssd[12129]: ; TSIG error with server: tsig verify failure
Jun 25 10:42:45 adserver.com sssd[12129]: update failed: REFUSED
Trying to switch to AD existing user
su - me_admin
no such user exists
TSIG error related with clock syncing ?
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Ldap authentication sync issue with AD
Better rejoin the linux system . Most probably the KVNO of the keytab is different than the KVNO on the AD.
Re: Ldap authentication sync issue with AD
I'm seeing the same issue on a fresh 7.8 install, has anyone found a fix?
I have tried re-joining it, didn't help
I have tried re-joining it, didn't help