Kerberos notes and sssd Internal credentials cache error
If sssd gives you errors about unable to connect, it's probably the host password (keytab) is out of date with what AD has. You have to reset the host account in AD, or even delete the computer account and rejoin the domain.
kdestroy -A
kinit domainadmin
msktutil -f -s host
msktutil -u -s host
kinit -k "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\$@MSAD.EXAMPLE.COM"
klist -kt
The kvno value in the output of klist -kt should match the attribute "msDS- KeyVersionNumber" of the server object in AD. Error can include:
(Thu Aug 9 15:28:57 2018) [[sssd[krb5_child[3177]]]] [create_ccache] (0x0020): 1009: [-1765328188][Internal credentials cache error]
(Thu Aug 9 15:28:57 2018) [[sssd[krb5_child[3177]]]] [map_krb5_error] (0x0020): 1657: [-1765328188][Internal credentials cache error]
(Thu Aug 9 15:29:22 2018) [[sssd[krb5_child[3333]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Thu Aug 9 15:29:22 2018) [[sssd[krb5_child[3333]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(Thu Aug 9 15:29:22 2018) [[sssd[krb5_child[3333]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [bgstack15\@MSAD.EXAMPLE.COM@MSAD.EXAMPLE.COM] might not be correct.
Comments