Knowledge Base (Posts about raw)https://bgstack15.ddns.net/blog/enContents © 2025 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Wed, 26 Feb 2025 15:27:19 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssKerberos notes and sssd Internal credentials cache errorhttps://bgstack15.ddns.net/blog/posts/2018/09/06/kerberos-notes-and-sssd-internal-credentials-cache-error/bgstack15<p>If sssd gives you errors about unable to connect, it's probably the host password (keytab) is out of date with what AD has. You have to reset the host account in AD, or even delete the computer account and rejoin the domain.</p> <div class="code"><pre class="code literal-block"><span class="n">kdestroy</span><span class="w"> </span><span class="o">-</span><span class="n">A</span><span class="w"></span> <span class="n">kinit</span><span class="w"> </span><span class="n">domainadmin</span><span class="w"></span> <span class="n">msktutil</span><span class="w"> </span><span class="o">-</span><span class="n">f</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="k">host</span><span class="w"></span> <span class="n">msktutil</span><span class="w"> </span><span class="o">-</span><span class="n">u</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="k">host</span><span class="w"></span> <span class="n">kinit</span><span class="w"> </span><span class="o">-</span><span class="n">k</span><span class="w"> </span><span class="ss">"$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\$@MSAD.EXAMPLE.COM"</span><span class="w"></span> <span class="n">klist</span><span class="w"> </span><span class="o">-</span><span class="n">kt</span><span class="w"></span> </pre></div> <p>The kvno value in the output of klist -kt should match the attribute "msDS- KeyVersionNumber" of the server object in AD. Error can include:</p> <div class="code"><pre class="code literal-block"><span class="p">(</span><span class="n">Thu</span><span class="w"> </span><span class="n">Aug</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">15</span><span class="err">:</span><span class="mi">28</span><span class="err">:</span><span class="mi">57</span><span class="w"> </span><span class="mi">2018</span><span class="p">)</span><span class="w"> </span><span class="o">[</span><span class="n">[sssd[krb5_child[3177</span><span class="o">]</span><span class="err">]]]</span><span class="w"> </span><span class="o">[</span><span class="n">create_ccache</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mh">0x0020</span><span class="p">)</span><span class="err">:</span><span class="w"> </span><span class="mi">1009</span><span class="err">:</span><span class="w"> </span><span class="o">[</span><span class="n">-1765328188</span><span class="o">][</span><span class="n">Internal credentials cache error</span><span class="o">]</span><span class="w"></span> <span class="p">(</span><span class="n">Thu</span><span class="w"> </span><span class="n">Aug</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">15</span><span class="err">:</span><span class="mi">28</span><span class="err">:</span><span class="mi">57</span><span class="w"> </span><span class="mi">2018</span><span class="p">)</span><span class="w"> </span><span class="o">[</span><span class="n">[sssd[krb5_child[3177</span><span class="o">]</span><span class="err">]]]</span><span class="w"> </span><span class="o">[</span><span class="n">map_krb5_error</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mh">0x0020</span><span class="p">)</span><span class="err">:</span><span class="w"> </span><span class="mi">1657</span><span class="err">:</span><span class="w"> </span><span class="o">[</span><span class="n">-1765328188</span><span class="o">][</span><span class="n">Internal credentials cache error</span><span class="o">]</span><span class="w"></span> <span class="p">(</span><span class="n">Thu</span><span class="w"> </span><span class="n">Aug</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">15</span><span class="err">:</span><span class="mi">29</span><span class="err">:</span><span class="mi">22</span><span class="w"> </span><span class="mi">2018</span><span class="p">)</span><span class="w"> </span><span class="o">[</span><span class="n">[sssd[krb5_child[3333</span><span class="o">]</span><span class="err">]]]</span><span class="w"> </span><span class="o">[</span><span class="n">privileged_krb5_setup</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mh">0x0080</span><span class="p">)</span><span class="err">:</span><span class="w"> </span><span class="n">Cannot</span><span class="w"> </span><span class="k">open</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">PAC</span><span class="w"> </span><span class="n">responder</span><span class="w"> </span><span class="n">socket</span><span class="w"></span> <span class="p">(</span><span class="n">Thu</span><span class="w"> </span><span class="n">Aug</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">15</span><span class="err">:</span><span class="mi">29</span><span class="err">:</span><span class="mi">22</span><span class="w"> </span><span class="mi">2018</span><span class="p">)</span><span class="w"> </span><span class="o">[</span><span class="n">[sssd[krb5_child[3333</span><span class="o">]</span><span class="err">]]]</span><span class="w"> </span><span class="o">[</span><span class="n">sss_send_pac</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mh">0x0040</span><span class="p">)</span><span class="err">:</span><span class="w"> </span><span class="n">sss_pac_make_request</span><span class="w"> </span><span class="n">failed</span><span class="w"> </span><span class="o">[</span><span class="n">-1</span><span class="o">][</span><span class="n">2</span><span class="o">]</span><span class="p">.</span><span class="w"></span> <span class="p">(</span><span class="n">Thu</span><span class="w"> </span><span class="n">Aug</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">15</span><span class="err">:</span><span class="mi">29</span><span class="err">:</span><span class="mi">22</span><span class="w"> </span><span class="mi">2018</span><span class="p">)</span><span class="w"> </span><span class="o">[</span><span class="n">[sssd[krb5_child[3333</span><span class="o">]</span><span class="err">]]]</span><span class="w"> </span><span class="o">[</span><span class="n">validate_tgt</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mh">0x0040</span><span class="p">)</span><span class="err">:</span><span class="w"> </span><span class="n">sss_send_pac</span><span class="w"> </span><span class="n">failed</span><span class="p">,</span><span class="w"> </span><span class="k">group</span><span class="w"> </span><span class="n">membership</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">principal</span><span class="w"> </span><span class="o">[</span><span class="n">bgstack15\@MSAD.EXAMPLE.COM@MSAD.EXAMPLE.COM</span><span class="o">]</span><span class="w"> </span><span class="n">might</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">correct</span><span class="p">.</span><span class="w"></span> </pre></div>kerberosnotesrawsssdhttps://bgstack15.ddns.net/blog/posts/2018/09/06/kerberos-notes-and-sssd-internal-credentials-cache-error/Thu, 06 Sep 2018 12:57:54 GMT