Active Directory users ssh connectivity issue on rocky linux9

Hi

We have added the computer to the active directory along with the process, and we are running Rockylinux9.
Users that have joined the computer to the Active Directory domain can successfully log in to Rocky Linux Machining.
However, we’ve noticed that after a few days, a small percentage of users—not all users—are occasionally unable to log in.

Therefore, we must withdraw the computer from the domain. Once the machine was rejoined, users were able to communicate with the machines.
We have been witnessing this behavior for the past two months. Any suggestion will be very helpful.

sssd Logs for reference

sssd status shows below status at the time of few users connectivity issue.
systemctl status sssd
● sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: enabled)
     Active: active (running) since Sun 2024-02-04 01:24:53 PST; 2 weeks 0 days ago
   Main PID: 740 (sssd)
      Tasks: 5 (limit: 98304)
     Memory: 64.9M
        CPU: 23min 25.887s
     CGroup: /system.slice/sssd.service
             ├─740 /usr/sbin/sssd -i --logger=files
             ├─756 /usr/libexec/sssd/sssd_be --domain adxyz.info --uid 0 --gid 0 --logger=files
             ├─767 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             ├─768 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
             └─769 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files

Feb 19 00:48:20 linux-5 ldap_child[368446]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:48:20 linux-5 ldap_child[368447]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:48:20 linux-5 ldap_child[368448]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:48:20 linux-5 krb5_child[368449]: Cannot find key for LOCALHOST$@adxyz.INFO kvno 38 in ke>
Feb 19 00:48:20 linux-5 krb5_child[368449]: Cannot find key for LOCALHOST$@adxyz.INFO kvno 38 in ke>
Feb 19 00:49:22 linux-5 ldap_child[371897]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:49:24 linux-5 ldap_child[371898]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:49:28 linux-5 ldap_child[371899]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:49:28 linux-5 ldap_child[371900]: Failed to initialize credentials using keytab [MEMORY:/etc/>
Feb 19 00:49:28 linux-5 ldap_child[371901]: Failed to initialize credentials using keytab [MEMORY:/etc/>
lines 1-24/24 (END)...skipping...
---------------------------------------------------
sssd status shows below logs when users are able to connect , after rejoining to Active directory.
systemctl  status sssd
● sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-02-19 05:12:14 PST; 1min 22s ago
   Main PID: 1190172 (sssd)
      Tasks: 5 (limit: 98304)
     Memory: 53.5M
        CPU: 396ms
     CGroup: /system.slice/sssd.service
             ├─1190172 /usr/sbin/sssd -i --logger=files
             ├─1190174 /usr/libexec/sssd/sssd_be --domain adxyz.info --uid 0 --gid 0 --logger=files
             ├─1190175 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             ├─1190176 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
             └─1190177 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files

Feb 19 05:12:14 linux-5 systemd[1]: Starting System Security Services Daemon...
Feb 19 05:12:14 linux-5 sssd[1190172]: Starting up
Feb 19 05:12:14 linux-5 sssd_be[1190174]: Starting up
Feb 19 05:12:14 linux-5 sssd_nss[1190175]: Starting up
Feb 19 05:12:14 linux-5 sssd_pam[1190176]: Starting up
Feb 19 05:12:14 linux-5 sssd_pac[1190177]: Starting up
Feb 19 05:12:14 linux-5 systemd[1]: Started System Security Services Daemon.

Failing to initialize credentials using the keytab could mean that the password for the keytab account has been changed in Active Directory.

but if we change the password , then it should check the updated password right?
can you please suggest ,what needs to be done here ?

A keytab contains the password from when it was created. If the password is changed in Active Directory, the keytab needs to be updated.

You would need to track down why the password has been changed.

In Active Directory, it is possible to check when a password was changed on any object, this includes computer objects. Changing a password in active directory does not notify the actual object of such change. The actual object will not be aware of this change and cannot renew its keytab, because it does not know its own password any longer.

Depending on how often this password is being changed in AD or being invalidated in some way, you can tell sssd to rotate automatically for you to see if that resolves the issue to some extent. This is done by setting ad_maximum_machine_account_password_age in sssd.conf. The default for this is 30 days. Set it to a number of days before the issues start typically occurring for you on this system and see if it helps.

thanks Nazunalika.

can we keep this ad_maximum_machine_account_password_age = 5 , since we can not predict when the password of user will be change?

Whilst an ‘object’ isn’t aware that its password has changed, it is notified and that is why you can check if it has changed. You can check when the password was last changed by obtaining the ‘pwdLastSet’ attribute from the computers object, along with the domains ‘maxPwdAge’ attribute, from these you can calculate if the password has expired or when it will expire (unless you have set it to never expire).

Now, every machine password, by default, is changed every 30 days and setting ‘ad_maximum_machine_account_password_age’ to less than this will mean that sssd will attempt to renew the machines ticket after the number of days set, so setting this may just make the problem worse. Now if this was winbind, I would suggest adding ‘winbind refresh tickets = yes’ to the smb.conf file, but I cannot seem to find the sssd equivalent, is there one ?

I should also point out that you do not actually require a keytab, kinit will work without it.

we dont have smb service running on server.not able to identify the cause yet.

password is getting expired because of Ad Policy .
also the strange thing is that, the login is not affecting all users of AD,its preventing only few users. and if i remove and rejoin the instance to AD , it starts allowing those and all users to login .
i am not sure where we are missing anything in configuration ?

I said if it was winbind, I didn’t say that you were running winbind. Did you read the entire post ?

i found one URL
https://zmatech.com/2022/09/22/how-to-join-rocky-linux-9-into-windows-active-directory/

i m planning to try this , and will see , if it helps. will keep posted, since currently i m following the way of sssd which we were following in centos7 .

I have had a look at that link and I have a few comments about it:

It says to set this line in /etc/krb5.conf:

default_realm = ZMATECH

That appears to be wrong, as ZMATECH is set as the workgroup (aka NetBIOS domain name) in the example smb.conf, the krb5.conf should look like this:

[libdefaults]
default_realm = ZMATECH.COM
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
ZMATECH.COM = {
default_domain = zmatech.com
}

[domain_realm]
YOUR_COMPUTERS_SHORT_HOSTNAME_IN_CAPS = ZMATECH.COM

The smb.conf is okay, as far as it goes, but you should only add the ‘winbind enum’ lines for testing purposes, they can slow things down in large domains and are not required for AD to work on linux.

There is also this memorable line ‘Ignore any DNS related errors.’.

If you do get dns related errors, then probably /etc/hosts isn’t setup correctly, it should contain a line like this:

COMPUTER_IP FQDN SHORT_HOSTNAME

Provided it has a fixed ipaddress, otherwise, if the IP is set by DHCP, then there should nothing relevant to the computer in /etc/hosts

thanks hortimech for the reply , will try this steps and update in post the result.

hi

I tried the steps as mentioned in last post , not table to login using ad credentials . i m getting below error when i check in /var/log/secure

Feb 23 12:03:12 linuxstaging sshd[21223]: Invalid user abctest from xx.xxx.xx.xxx port 50428
Feb 23 12:03:43 linuxstaging sshd[21223]: pam_unix(sshd:auth): check pass; user unknown
Feb 23 12:03:43 linuxstaging sshd[21223]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xxx.xx.xxx
Feb 23 12:03:45 linuxstaging sshd[21223]: Failed password for invalid user abctest from xx.xxx.xx.xxx port 50428 ssh2

I get:

Feb 23 13:38:05 rocky9 sshd[8164]: Authorized to rowland, krb5 principal rowland@SAMDOM.EXAMPLE.COM (ssh_gssapi_krb5_cmdok)
Feb 23 13:38:05 rocky9 sshd[8164]: pam_winbind(sshd:account): user ‘rowland’ granted access
Feb 23 13:38:05 rocky9 sshd[8164]: Accepted gssapi-with-mic for rowland from 192.168.1.141 port 55742 ssh2: rowland@SAMDOM.EXAMPLE.COM
Feb 23 13:38:05 rocky9 systemd[8190]: pam_unix(systemd-user:session): session opened for user rowland(uid=11104) by (uid=0)
Feb 23 13:38:06 rocky9 sshd[8164]: pam_unix(sshd:session): session opened for user rowland(uid=11104) by (uid=0)

Does the user ‘abctest’ exist in AD ?
does ‘getent passwd abctest’ produce output ?