We have added the computer to the active directory along with the process, and we are running Rockylinux9.
Users that have joined the computer to the Active Directory domain can successfully log in to Rocky Linux Machining.
However, we’ve noticed that after a few days, a small percentage of users—not all users—are occasionally unable to log in.
Therefore, we must withdraw the computer from the domain. Once the machine was rejoined, users were able to communicate with the machines.
We have been witnessing this behavior for the past two months. Any suggestion will be very helpful.
sssd Logs for reference
sssd status shows below status at the time of few users connectivity issue.
systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: enabled)
Active: active (running) since Sun 2024-02-04 01:24:53 PST; 2 weeks 0 days ago
Main PID: 740 (sssd)
Tasks: 5 (limit: 98304)
Memory: 64.9M
CPU: 23min 25.887s
CGroup: /system.slice/sssd.service
├─740 /usr/sbin/sssd -i --logger=files
├─756 /usr/libexec/sssd/sssd_be --domain adxyz.info --uid 0 --gid 0 --logger=files
├─767 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
├─768 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
└─769 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Feb 19 00:48:20 linux-5 ldap_child[368446]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:48:20 linux-5 ldap_child[368447]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:48:20 linux-5 ldap_child[368448]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:48:20 linux-5 krb5_child[368449]: Cannot find key for LOCALHOST$@adxyz.INFO kvno 38 in ke>
Feb 19 00:48:20 linux-5 krb5_child[368449]: Cannot find key for LOCALHOST$@adxyz.INFO kvno 38 in ke>
Feb 19 00:49:22 linux-5 ldap_child[371897]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:49:24 linux-5 ldap_child[371898]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:49:28 linux-5 ldap_child[371899]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:49:28 linux-5 ldap_child[371900]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:49:28 linux-5 ldap_child[371901]: Failed to initialize credentials using keytab [MEMORY:/etc/>
lines 1-24/24 (END)...skipping...
---------------------------------------------------
sssd status shows below logs when users are able to connect , after rejoining to Active directory.
systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-02-19 05:12:14 PST; 1min 22s ago
Main PID: 1190172 (sssd)
Tasks: 5 (limit: 98304)
Memory: 53.5M
CPU: 396ms
CGroup: /system.slice/sssd.service
├─1190172 /usr/sbin/sssd -i --logger=files
├─1190174 /usr/libexec/sssd/sssd_be --domain adxyz.info --uid 0 --gid 0 --logger=files
├─1190175 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
├─1190176 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
└─1190177 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Feb 19 05:12:14 linux-5 systemd[1]: Starting System Security Services Daemon...
Feb 19 05:12:14 linux-5 sssd[1190172]: Starting up
Feb 19 05:12:14 linux-5 sssd_be[1190174]: Starting up
Feb 19 05:12:14 linux-5 sssd_nss[1190175]: Starting up
Feb 19 05:12:14 linux-5 sssd_pam[1190176]: Starting up
Feb 19 05:12:14 linux-5 sssd_pac[1190177]: Starting up
Feb 19 05:12:14 linux-5 systemd[1]: Started System Security Services Daemon.
In Active Directory, it is possible to check when a password was changed on any object, this includes computer objects. Changing a password in active directory does not notify the actual object of such change. The actual object will not be aware of this change and cannot renew its keytab, because it does not know its own password any longer.
Depending on how often this password is being changed in AD or being invalidated in some way, you can tell sssd to rotate automatically for you to see if that resolves the issue to some extent. This is done by setting ad_maximum_machine_account_password_age in sssd.conf. The default for this is 30 days. Set it to a number of days before the issues start typically occurring for you on this system and see if it helps.
Whilst an ‘object’ isn’t aware that its password has changed, it is notified and that is why you can check if it has changed. You can check when the password was last changed by obtaining the ‘pwdLastSet’ attribute from the computers object, along with the domains ‘maxPwdAge’ attribute, from these you can calculate if the password has expired or when it will expire (unless you have set it to never expire).
Now, every machine password, by default, is changed every 30 days and setting ‘ad_maximum_machine_account_password_age’ to less than this will mean that sssd will attempt to renew the machines ticket after the number of days set, so setting this may just make the problem worse. Now if this was winbind, I would suggest adding ‘winbind refresh tickets = yes’ to the smb.conf file, but I cannot seem to find the sssd equivalent, is there one ?
I should also point out that you do not actually require a keytab, kinit will work without it.
password is getting expired because of Ad Policy .
also the strange thing is that, the login is not affecting all users of AD,its preventing only few users. and if i remove and rejoin the instance to AD , it starts allowing those and all users to login .
i am not sure where we are missing anything in configuration ?
i m planning to try this , and will see , if it helps. will keep posted, since currently i m following the way of sssd which we were following in centos7 .
The smb.conf is okay, as far as it goes, but you should only add the ‘winbind enum’ lines for testing purposes, they can slow things down in large domains and are not required for AD to work on linux.
There is also this memorable line ‘Ignore any DNS related errors.’.
If you do get dns related errors, then probably /etc/hosts isn’t setup correctly, it should contain a line like this:
COMPUTER_IP FQDN SHORT_HOSTNAME
Provided it has a fixed ipaddress, otherwise, if the IP is set by DHCP, then there should nothing relevant to the computer in /etc/hosts
I tried the steps as mentioned in last post , not table to login using ad credentials . i m getting below error when i check in /var/log/secure
Feb 23 12:03:12 linuxstaging sshd[21223]: Invalid user abctest from xx.xxx.xx.xxx port 50428
Feb 23 12:03:43 linuxstaging sshd[21223]: pam_unix(sshd:auth): check pass; user unknown
Feb 23 12:03:43 linuxstaging sshd[21223]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xxx.xx.xxx
Feb 23 12:03:45 linuxstaging sshd[21223]: Failed password for invalid user abctest from xx.xxx.xx.xxx port 50428 ssh2
Feb 23 13:38:05 rocky9 sshd[8164]: Authorized to rowland, krb5 principal rowland@SAMDOM.EXAMPLE.COM (ssh_gssapi_krb5_cmdok)
Feb 23 13:38:05 rocky9 sshd[8164]: pam_winbind(sshd:account): user ‘rowland’ granted access
Feb 23 13:38:05 rocky9 sshd[8164]: Accepted gssapi-with-mic for rowland from 192.168.1.141 port 55742 ssh2: rowland@SAMDOM.EXAMPLE.COM
Feb 23 13:38:05 rocky9 systemd[8190]: pam_unix(systemd-user:session): session opened for user rowland(uid=11104) by (uid=0)
Feb 23 13:38:06 rocky9 sshd[8164]: pam_unix(sshd:session): session opened for user rowland(uid=11104) by (uid=0)
Does the user ‘abctest’ exist in AD ?
does ‘getent passwd abctest’ produce output ?