Domain Authentication Issues

Latest response

To say I am baffled is to understate my level of confusion regarding the issues I'm trying to resolve.

To start with: 6 machines, all running RHEL 7.7, all configured identically (allegedly) at the OS level.

These are running various Hadoop components along with some other bits from a 3rd party that helps manage the cluster and user interfaces and the such.

The initial symptom was that some of the services (I believe relating to HDFS) were not working correctly. The Data Team worked to identify what they believe is the issue: that the services in question will not work with the newfangled KEYRING:persistent Ticket Cache type. So, firstly, I want to restrict the machines from using KEYRING:persistent. I /thought/ it would be in the krb5.conf file, but that is set as "default_ccache_name = /tmp/krb5cc_%{uid}" The results of klist vary from user to user as well. I've tried sss_cache -E without success. Any thoughts on that would be appreciated.

As I have been trying to work THAT out, I'm finding that one of the machines will NOT allow me to PuTTy from my Windows 10 workstation to the node with any AD credentials. Local (root) works. I CAN ssh from one of the nodes to the same box without issue. I did remove the entry from the registry/known_hosts to no avail.

I don't know if these two things are related. To complicate, someone else did the realm join operations on these boxes, however, the configs (krb5.conf and sssd.conf) look to be identical accross all nodes.

T

Responses

Hi Tim,

What do the logs show when the remote ssh fails on that server:

/var/log/secure /var/log/messages /var/log/sssd/*

That would be a good starting point for analysis.

Regards,

Dusan Baljevic (amateur radio VK2COT)