Linux server Join to AD, using SSSD the linux server unable to find global catalog after sometimes

Shiro S 1 Reputation point
2021-09-29T07:24:47.647+00:00

Hi expert,

We noticed, our linux VM which has been join to AD somehow the domain status showing offline after sometime. The linux system unable to find the global catalog. We need to leave the domain and re-join back the linux server to AD by using command realm join --user=test--computer-name=moc-moc-radinterop-01-wsg.testlab.local

[root@moc-radinterop-01-wsg archive]# sssctl domain-status testlab.local
Online status: Offline

Active servers:
AD Global Catalog: not connected
AD Domain Controller: roc-ad-02.testlab.local

Discovered AD Global Catalog servers:
None so far.

Discovered AD Domain Controller servers:

  • roc-ad-01.testlab.local
  • ad01.testlab.local
  • ad02.testlab.local
  • roc-ad-02.testlab.local

tcpdump shows that LDAP connection is established:
11:42:38.492430 IP 10.76.0.135.56080 > 192.168.88.35.ldap: Flags [S], seq 2812817828, win 29200, options [mss 1460,sackOK,TS val 2043002412 ecr 0,nop,wscale 7], length 0
11:42:38.493775 IP 192.168.88.35.ldap > 10.76.0.135.56080: Flags [S.], seq 3406745611, ack 2812817829, win 8192, options [mss 1380,nop,wscale 8,sackOK,TS val 104582199 ecr 2043002412], length 0
11:42:38.493790 IP 10.76.0.135.56080 > 192.168.88.35.ldap: Flags [.], ack 1, win 229, options [nop,nop,TS val 2043002413 ecr 104582199], length 0
11:42:38.493920 IP 10.76.0.135.56080 > 192.168.88.35.ldap: Flags [P.], seq 1:261, ack 1, win 229, options [nop,nop,TS val 2043002413 ecr 104582199], length 260

The log showing:

moc-radinterop-01-wsg sssd[ldap_child[78275]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

Our SSSD.conf as below:

[sssd]
domains = testlab.LOCAL
config_file_version = 2
services = nss, pam
[nss]
filter_users = root

[domain/testlab.LOCAL]
ad_domain = testlab.LOCAL
krb5_realm = testlab.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = moc-radinterop-01-wsg$
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad

Anybody having similar issues to us for linux VM that using SSSD join to AD?

Regards,
Shiro

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jai Verma 461 Reputation points
    2021-09-29T08:33:01.203+00:00

    If I read the error message correctly, it is failing to use Keytab file. Looking at the SSSD configuration, you point to nss and pam. Did you check if there is a configuration for Keytab file and if the keytab file is valid?

    moc-radinterop-01-wsg sssd[ldap_child[78275]]: *******Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:***** Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.**

  2. Shiro S 1 Reputation point
    2021-10-04T08:48:51.043+00:00

    Hi Jaiverma,

    Yes, the keytab file was available. Whats others possiblities which might cause the server unable connectivity to AD server?

    0 comments