SSSD service is failing with an error 'Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed.'

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Active Directory
  • realmd
  • adcli

Issue

  • SSSD service is failing.
  • RHEL system is configured as an AD client using SSSD and AD users are unable to login to the system.
  • /var/log/messages file is filled up with following repeated log messages.
Mar 13 08:36:18 testserver [sssd[ldap_child[145919]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

Resolution

This solution is applicable to RHEL hosts that are joined to an Active Directory domain with direct integration. For IDM (IPA) clients, please see IPA client error: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]

The error message (see above) is produced when the client keytab is out of sync with the Active Directory server. The keytab is normally refreshed periodically or when SSSD is restarted.

If a restart of SSSD does not refresh the keytab and resolve the issue, the following methods can be used to manually update the keytab:
- Refresh the keytab using adcli (recommended)
- Leave and rejoin the domain with realmd
- Leave and rejoin the domain with adcli

Note: Rejoining the host to AD provides a quick fix to the keytab issue. However, it is advisable to check why the keytab is out of sync.

Refresh the keytab using adcli

The keytab can be updated by AD using the following commands:

# kinit Administrator@AD.DOMAIN
# adcli update -C --computer-password-lifetime=0 -D ad.domain

The 'Administrator@AD.DOMAIN' account can be replaced by any AD user that has "Reset Password" permissions on the computer object in AD.

Leave and rejoin the domain with realmd

Take a backup of existing /etc/sssd/sssd.conf file:

# cp /etc/sssd/sssd.conf /tmp/sssd.bak

Then remove the host from the domain using realm command:

# realm leave

Remove the old keytab:

# rm /etc/krb5.keytab

Join the host to the AD domain again:
How to join RHEL to Active Directory using realmd

Leave and rejoin the domain with adcli

If the host has joined the AD domain using adcli, use the following command to leave the domain:

# adcli delete-computer --domain=ad.domain hostname

The adcli delete-computer deletes a computer account in the domain. The account must already exist.

After removal, the host can rejoin the domain with the adcli:

# adcli join ad.domain

If required, replace the configuration file (i.e. sssd.conf) from the backup.

Root Cause

  • The following log messages indicates that the /etc/krb5.keytab file is out of sync with the AD server.
Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
  • If the system has already rejoined the AD domain and the issue has been fixed or is intermittent, check if SSSD can refresh the machine password (keytab). Add the following parameters under the [domain/AD.DOMAIN] section of /etc/sssd/sssd.conf and restart the sssd service:
debug_level = 9
ad_maximum_machine_account_password_age = 1
ad_machine_account_password_renewal_opts = 21600:750
  • Wait for 24 hours. The backend log (/var/log/sssd/sssd_AD.DOMAIN.log) will contain the adcli output which will indicate if the machine password refresh failed or succeeded.

Diagnostic Steps

  • Check sssd.conf file.
  • Check errors in /var/log/messages file.
  • Validate the keytab and KVNO version.
# kinit -k 'HOSTNAME$'   ## This should work.
# klist
# kinit -C <aduser>@AD.DOMAIN
# kvno 'HOSTNAME$'       ## kvno version should match with the current keytab table.
  • Check in /var/log/sssd/ldap_child log if ldap_child_get_tgt_sync is failing.
(2024-07-15  9:55:16): [ldap_child[2024458]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [AD.DOMAIN]
(2024-07-15  9:55:16): [ldap_child[2024458]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [HOSTNAME$@AD.DOMAIN]
(2024-07-15  9:55:16): [ldap_child[2024458]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(2024-07-15  9:55:16): [ldap_child[2024458]] [sss_child_krb5_trace_cb] (0x4000): [2024458] 1721051716.457411: Getting initial credentials for HOSTNAME$@AD.DOMAIN
..output omitted..
(2024-07-15  9:55:16): [ldap_child[2024458]] [ldap_child_get_tgt_sync] (0x0040): krb5_get_init_creds_keytab() failed: -1765328360
(2024-07-15  9:55:16): [ldap_child[2024458]] [ldap_child_get_tgt_sync] (0x0010): Failed to initialize credentials using keytab [MEMORY:/etc/krb5/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
(2024-07-15  9:55:16): [ldap_child[2024458]] [main] (0x0020): ldap_child_get_tgt_sync failed.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments