Learn more about these different git repos.
Other Git URLs
A recent hardware failure on one of our Samba 4 AD DCs that's the primary DC for a given Site has highlighted an annoying failure condition with the AD backend.
The symptom is either krb5_child or ldap_child (I've seen both) are unable to authenticate using the machine's Kerberos token:
(Mon Jun 13 08:46:37 2016) [[sssd[krb5_child[6367]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328360][Preauthentication failed]
This only happens immediately after a new key is generated and sssd is restarted. The problem appears to fix itself about two minutes later, probably when the "check backend is really healthy" scheduled job kicks off. However the initial failure has led me a down a many avenues of misdiagnosis :-)
This is how I was re-joining machines to the domain:
service sssd stop rm -f /etc/krb5.keytab rm -f /tmp/krb5* /usr/sbin/adcli join -D EXAMPLE.COM -U USER -N "$(grep -P ^ldap_sasl_authid /etc/sssd/sssd.conf | cut -f3 -d" " | sed "s/\$.*$//")" --stdin-password rm -Rf /var/lib/sss/db/ mkdir /var/lib/sss/db/ rm -f /var/log/sssd/* service sssd start
I have logs from a single server showing a failed auth immediately after restart, then the same logs a few minutes later showing auth working without any intervention on my part.
I'd prefer to send the two sets of logs to someone privately; if I try sanitise them I'll probably remove some helpful information, and I don't want it published to an open bug report (enumeration of user accounts, etc).
I should mention this is standard CentOS 6.8 sssd-1.13.3-22.el6.x86_64, not 1.13.3-22.el6_8.3 that you gave me in #3006.
Doing some isolated testing with iptables, it looks like this is more likely another symptom of #3044. I'll close this in favour of that bug.
Either I can't find the option or I don't have the power to close my own bugs. Please close this when you see it.
OK, closing.
resolution: => invalid status: new => closed
Metadata Update from @lukebigum: - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4075
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.