#3042 sssd-ad does not immediately fail away from failed DC on restart
Closed: Invalid None Opened 7 years ago by lukebigum.

A recent hardware failure on one of our Samba 4 AD DCs that's the primary DC for a given Site has highlighted an annoying failure condition with the AD backend.

The symptom is either krb5_child or ldap_child (I've seen both) are unable to authenticate using the machine's Kerberos token:

(Mon Jun 13 08:46:37 2016) [[sssd[krb5_child[6367]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328360][Preauthentication failed]

This only happens immediately after a new key is generated and sssd is restarted. The problem appears to fix itself about two minutes later, probably when the "check backend is really healthy" scheduled job kicks off. However the initial failure has led me a down a many avenues of misdiagnosis :-)

This is how I was re-joining machines to the domain:

service sssd stop
rm -f /etc/krb5.keytab
rm -f /tmp/krb5*
/usr/sbin/adcli join -D EXAMPLE.COM -U USER -N "$(grep -P ^ldap_sasl_authid /etc/sssd/sssd.conf | cut -f3 -d" " | sed "s/\$.*$//")" --stdin-password
rm -Rf /var/lib/sss/db/
mkdir /var/lib/sss/db/
rm -f /var/log/sssd/*
service sssd start

I have logs from a single server showing a failed auth immediately after restart, then the same logs a few minutes later showing auth working without any intervention on my part.

I'd prefer to send the two sets of logs to someone privately; if I try sanitise them I'll probably remove some helpful information, and I don't want it published to an open bug report (enumeration of user accounts, etc).


I should mention this is standard CentOS 6.8 sssd-1.13.3-22.el6.x86_64, not 1.13.3-22.el6_8.3 that you gave me in #3006.

Doing some isolated testing with iptables, it looks like this is more likely another symptom of #3044. I'll close this in favour of that bug.

Either I can't find the option or I don't have the power to close my own bugs. Please close this when you see it.

OK, closing.

resolution: => invalid
status: new => closed

Metadata Update from @lukebigum:
- Issue set to the milestone: NEEDS_TRIAGE

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4075

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata