Hi expert,
We noticed, our linux VM which has been join to AD somehow the domain status showing offline after sometime. The linux system unable to find the global catalog. We need to leave the domain and re-join back the linux server to AD by using command realm join --user=test--computer-name=moc-moc-radinterop-01-wsg.testlab.local
[root@moc-radinterop-01-wsg archive]# sssctl domain-status testlab.local
Online status: Offline
Active servers:
AD Global Catalog: not connected
AD Domain Controller: roc-ad-02.testlab.local
Discovered AD Global Catalog servers:
None so far.
Discovered AD Domain Controller servers:
- roc-ad-01.testlab.local
- ad01.testlab.local
- ad02.testlab.local
- roc-ad-02.testlab.local
tcpdump shows that LDAP connection is established:
11:42:38.492430 IP 10.76.0.135.56080 > 192.168.88.35.ldap: Flags [S], seq 2812817828, win 29200, options [mss 1460,sackOK,TS val 2043002412 ecr 0,nop,wscale 7], length 0
11:42:38.493775 IP 192.168.88.35.ldap > 10.76.0.135.56080: Flags [S.], seq 3406745611, ack 2812817829, win 8192, options [mss 1380,nop,wscale 8,sackOK,TS val 104582199 ecr 2043002412], length 0
11:42:38.493790 IP 10.76.0.135.56080 > 192.168.88.35.ldap: Flags [.], ack 1, win 229, options [nop,nop,TS val 2043002413 ecr 104582199], length 0
11:42:38.493920 IP 10.76.0.135.56080 > 192.168.88.35.ldap: Flags [P.], seq 1:261, ack 1, win 229, options [nop,nop,TS val 2043002413 ecr 104582199], length 260
The log showing:
moc-radinterop-01-wsg sssd[ldap_child[78275]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Our SSSD.conf as below:
[sssd]
domains = testlab.LOCAL
config_file_version = 2
services = nss, pam
[nss]
filter_users = root
[domain/testlab.LOCAL]
ad_domain = testlab.LOCAL
krb5_realm = testlab.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = moc-radinterop-01-wsg$
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
Anybody having similar issues to us for linux VM that using SSSD join to AD?
Regards,
Shiro