question

ShiroS-2562 avatar image
0 Votes"
ShiroS-2562 asked ShiroS-2562 answered

Linux server Join to AD, using SSSD the linux server unable to find global catalog after sometimes

Hi expert,

We noticed, our linux VM which has been join to AD somehow the domain status showing offline after sometime. The linux system unable to find the global catalog. We need to leave the domain and re-join back the linux server to AD by using command realm join --user=test--computer-name=moc-moc-radinterop-01-wsg.testlab.local

[root@moc-radinterop-01-wsg archive]# sssctl domain-status testlab.local
Online status: Offline

Active servers:
AD Global Catalog: not connected
AD Domain Controller: roc-ad-02.testlab.local

Discovered AD Global Catalog servers:
None so far.

Discovered AD Domain Controller servers:
- roc-ad-01.testlab.local
- ad01.testlab.local
- ad02.testlab.local
- roc-ad-02.testlab.local

tcpdump shows that LDAP connection is established:
11:42:38.492430 IP 10.76.0.135.56080 > 192.168.88.35.ldap: Flags [S], seq 2812817828, win 29200, options [mss 1460,sackOK,TS val 2043002412 ecr 0,nop,wscale 7], length 0
11:42:38.493775 IP 192.168.88.35.ldap > 10.76.0.135.56080: Flags [S.], seq 3406745611, ack 2812817829, win 8192, options [mss 1380,nop,wscale 8,sackOK,TS val 104582199 ecr 2043002412], length 0
11:42:38.493790 IP 10.76.0.135.56080 > 192.168.88.35.ldap: Flags [.], ack 1, win 229, options [nop,nop,TS val 2043002413 ecr 104582199], length 0
11:42:38.493920 IP 10.76.0.135.56080 > 192.168.88.35.ldap: Flags [P.], seq 1:261, ack 1, win 229, options [nop,nop,TS val 2043002413 ecr 104582199], length 260

The log showing:

moc-radinterop-01-wsg sssd[ldap_child[78275]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

Our SSSD.conf as below:

[sssd]
domains = testlab.LOCAL
config_file_version = 2
services = nss, pam
[nss]
filter_users = root

[domain/testlab.LOCAL]
ad_domain = testlab.LOCAL
krb5_realm = testlab.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = moc-radinterop-01-wsg$
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad


Anybody having similar issues to us for linux VM that using SSSD join to AD?


Regards,
Shiro

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered

If I read the error message correctly, it is failing to use Keytab file. Looking at the SSSD configuration, you point to nss and pam. Did you check if there is a configuration for Keytab file and if the keytab file is valid?

moc-radinterop-01-wsg sssd[ldap_child[78275]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.









5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShiroS-2562 avatar image
0 Votes"
ShiroS-2562 answered

Hi Jaiverma,

Yes, the keytab file was available. Whats others possiblities which might cause the server unable connectivity to AD server?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.