SSSD Service cannot read keytab file.

Latest response

Hello,

SSSD is failing to read keytab file, and whenever I tries to login remotely I keep getting unable to verify Principal name in logs file. I am able to verify principal name from keytab file using kinit command.

OS : RHEL 6.5
SSSD Version : sssd-1.9.2-129.el6_5.4.x86_64

here is the output of kinit

root@TESTSERVER1 db]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM

Valid starting Expires Service principal
08/28/14 16:08:34 08/29/14 02:08:34 krbtgt/TEST.DOMAIN.COM@TEST.DOMAIN.COM
renew until 09/04/14 16:08:34
[root@TESTSERVER1 sssd]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal


3 host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM
3 host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM
3 host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM
3 host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM
3 host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM
[root@TESTSERVER1 sssd]#

Log entries from /var/log/sssd/ldap_child.log

(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [main] (0x0400): ldap_child started.
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [unpack_buffer] (0x1000): total buffer size: 86
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [unpack_buffer] (0x1000): realm_str size: 17
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [unpack_buffer] (0x1000): got realm_str: TEST.DOMAIN.COM
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [unpack_buffer] (0x1000): princ_str size: 53
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [unpack_buffer] (0x1000): got princ_str: host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [unpack_buffer] (0x1000): keytab_name size: 0
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [unpack_buffer] (0x1000): lifetime: 86400
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM]
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [sss_krb5_verify_keytab_ex] (0x0010): Cannot read keytab [default].
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [ldap_child_get_tgt_sync] (0x0040): Unable to verify principal is present in the keytab
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [prepare_response] (0x0400): Building response for result [-1765328200]
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328200] msgsize [26] msg [Error writing to key table]
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[740]]]] [main] (0x0400): ldap_child completed successfully
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[741]]]] [main] (0x0400): ldap_child started.
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[741]]]] [unpack_buffer] (0x1000): total buffer size: 86
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[741]]]] [unpack_buffer] (0x1000): realm_str size: 17
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[741]]]] [unpack_buffer] (0x1000): got realm_str: TEST.DOMAIN.COM
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[741]]]] [unpack_buffer] (0x1000): princ_str size: 53
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[741]]]] [unpack_buffer] (0x1000): got princ_str: host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[741]]]] [unpack_buffer] (0x1000): keytab_name size: 0
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[741]]]] [unpack_buffer] (0x1000): lifetime: 86400
(Fri Aug 29 09:08:20 2014) [[sssd[ldap_child[741]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM]
(Fri Aug 29 09:08:21 2014) [[sssd[ldap_child[741]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
(Fri Aug 29 09:08:21 2014) [[sssd[ldap_child[741]]]] [sss_krb5_verify_keytab_ex] (0x0010): Cannot read keytab [default].
(Fri Aug 29 09:08:21 2014) [[sssd[ldap_child[741]]]] [ldap_child_get_tgt_sync] (0x0040): Unable to verify principal is present in
the keytab
(Fri Aug 29 09:08:21 2014) [[sssd[ldap_child[741]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(Fri Aug 29 09:08:21 2014) [[sssd[ldap_child[741]]]] [prepare_response] (0x0400): Building response for result [-1765328200]
(Fri Aug 29 09:08:21 2014) [[sssd[ldap_child[741]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328200] msgsize [26] msg [E
rror writing to key table]
(Fri Aug 29 09:08:21 2014) [[sssd[ldap_child[741]]]] [main] (0x0400): ldap_child completed successfully

Responses

kartheek,

Has this configuration worked in the past but is no longer working? or you are attempting a new configuration?

Did you follow a Red Hat document/guide for your configuration?
https://access.redhat.com/articles/216933

Your klist -k output is shorter than I would have expected, did you join the domain using the 'net join' method?

Does the following return a local machine SID and domain SID?

net getdomainsid

Hello, first thanks for your reply.
This is completely new configuration on a recently build server, and similar configuration is working on rest of the servers.
This is how I create a keytab file How to create a kerberos keytab on Active Directory for Red Hat Enterprise Linux

What do you mean "klist -k output is shorter than I would have expected" ??

here is the output command, it did not returned domain SID.

#net getdomainsid
SID for local machine TESTSERVER1 is: S-1-5-21-3996368295-3233187699-1612447407
Could not fetch domain SID
#

I have only ever used the 'net join' method to join servers to the domain for AD auth, but have seen the method you linked to in earlier SSSD documentation. The fact that you look to be copying the keytab over from the Windows server, have you confirmed the basic permissions and SELinux context are correct for the keytab file on the Linux server?

I am interested to know what your working servers keytab looks like. On the working server, can you get output of 'klist -k' and attempt 'net getdomainsid' and let me know if they look different to this server?

My comment regarding klist was because I would generally expect to see three different entries when configuring the server for AD auth:

host/myhost.mydomain.local@MYDOMAIN.LOCAL
host/MYHOST@MYDOMAIN.LOCAL
MYHOST$@MYDOMAIN.LOCAL

These entries will each be repeated ~5 times each for the different encryption types.

Hello, Issue is fixed, selinux was enabled, I disabled, it works fine.

Regarding output of klist -k is small, for every computer object that I create on AD, I assign Service principal name in this format. And I specify same format in sssd.conf file too.

host/FQDN@DOMAIN
example: host/myhost.mydomain.loca@MYDOMAIN.LOCAL

# grep ldap_sasl_authid /etc/sssd/sssd.conf
ldap_sasl_authid = host/TESTSERVER1.test.domain.com@TEST.DOMAIN.COM
#

just one more question, so whenever you run "net join" command to add computer in AD, is there way to specify directory location for this computer object to be created ?

Thanks

You should be able to leave SELinux on and run the following to fix the SELinux permissions on your krb5.conf file

restorecon /etc/krb5.conf

As UNISYS LINUX Support has mentioned below, you can add 'createcomputer=' to the 'net ads join' line, just make sure the account you are joining with has access to create computer objects in the OU you specify!

Original Samba doc is here:
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-create-machine-account

just happen to come across while searching about SSSD

net ads join -U YOUR_USERNAME createcomputer="SRV/UNIX"

Replace YOUR_USERNAME with your user. "SRV/UNIX" option will create computer account in "OU=UNIX,OU=SRV,DC=EXAMPLE,DC=DOMAIN,DC=COM" container. It is usefull if your account limited to this container only.

reference: http://tower.voleg.info/linux.AD_auth_sssd.html

I will test on a test server, I think "net join" command will be easy way to implement, when compared creating keytab file on AD and uploading it to linux box.

Thanks,