Servers does not rejoin automatically to AD via sssd
Issue
-
Two domains set on file
/etc/sssd/sssd.conf, each one for a specific set of users, like in the e.g:- lab.example.com -> Users in
IdM - prod.example.com -> Users in
AD
- lab.example.com -> Users in
-
Both domains configured on
/etc/sssd/sssd.confof each client has its ownkeytabfile (first domain does not specify it, so it has the default/etc/krb5.keytab), the domains appears like in the e.g:[domain/lab.example.com] id_provider = ipa ipa_server = _srv_, server01.lab.example.com ipa_domain = lab.example.com ipa_hostname = server02.lab.example.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True [domain/prod.example.com] ad_domain = prod.example.com krb5_realm = PROD.EXAMPLE.COM [...] access_provider = ad krb5_keytab = /etc/krb5.keytab.prod ldap_krb5_keytab = /etc/krb5.keytab.prod ad_enabled_domains = prod.example.com -
The renewal of the join in
AD(second domain) is not being performed and should be done automatically, as can be seen in:# man sssd-ad [...] ad_maximum_machine_account_password_age (integer) SSSD will check once a day if the machine account password is older than the given age in days and try to renew it. A value of 0 will disable the renewal attempt. Default: 30 days -
As a result all servers with users in
ADare outside of the domain and needs to be rejoined manually.
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- Identity Management (IdM)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
