Sssd login system error 4

1yv0s · March 5, 2023, 1:43am

I have a rocky linux 8.7 server joined to a windows domain using realm. Sometimes when I start the server, I get a system error when attempting to login. /var/log/secure shows sssd system error 4. /var/log/sssd/krb5_child.log shows missing krb5 keytab option from domain, I also see pre authentication failed. if I login with a local account and restart sssd I am able to login.

/etc/sssd/sssd.conf

[sssd]
domains = home.local
config_file_version = 2
services = nss, pam





[domain/home.local]
ad_domain = home.local
krb5_realm = HOME.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = False
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad

/etc/krb5.conf

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
#    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 0
default_realm = HOME.LOCAL

[realms]
 HOME.LOCAL = {
     kdc = dc1.home.local
     kdc = dc2.home.local
     admin_server = dc1.home.local
 }

[domain_realm]
 .home.local = HOME.LOCAL
 home.local = HOME.LOCAL

dali · March 5, 2023, 4:57pm

If the problem only shows itself immediately after boot, I would look at network related issues.

Looking up KDC with DNS isn’t working because the network hasn’t started?

1yv0s · March 15, 2023, 1:56am

I ended up with a config that doesnt produce problems anymore.

/etc/sssd/sssd.conf

[sssd]
domains = home.local
config_file_version = 2
services = nss, pam





[domain/home.local]
ad_domain = home.local
ad_server = dc1.home.local
ad_backup_server = dc2.home.local
krb5_realm = HOME.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = False
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
dyndns_update = True
dyndns_refresh_interval = 43200
dyndns_update_ptr = True
dyndns_ttl = 3600
dyndns_auth = GSS-TSIG
krb5_validate = True

Topic		Replies	Views
Rocky Linux fails when tries to authenticate users using SSSD service Rocky Linux General	6	4251	August 25, 2023
Cant log into rocky8.7 with domain credentials Rocky Linux General	10	830	August 25, 2023
Rocky 9 Latest - Problems with SSSD - Won't Start - Cannot Join AD Rocky Linux General	5	144	March 20, 2024
Linux-AD Direct Integration with SSSD & Kerberos Rocky Linux General	21	11951	August 25, 2023
SSH change between 8.5 and 8.7? Rocky Linux General rocky-linux-8	9	1170	August 23, 2023

Sssd login system error 4

Related Topics