adcli does not renew machine account password properly
Issue
-
The RHEL system configured as an AD client using
SSSD, and it has been observed that, theadclidoes not renew machine account password properly. -
Following errors are observed in
sssddomain logs -
(2023-06-21 10:12:44): [be[example.com]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
(2023-06-21 10:12:44): [be[example.com]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
! Couldn't get kerberos ticket for machine account: TESTVM: Keytab contains no suitable keys for TESTVM$@AD.EXAMPLE.COM
adcli: couldn't connect to example.com domain: Couldn't get kerberos ticket for machine account: TESTVM: Keytab contains no suitable keys for TESTVM$@AD.EXAMPLE.COM
(2023-06-21 10:12:44): [be[example.com]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(2023-06-21 10:12:44): [be[example.com]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from last execution time [1687421564]
- Here, we can see that
adcliis trying to lookup for TESTVM$@AD.EXAMPLE.COM key in the/etc/krb5.keytabfile but the hostname of the system is mentioned in the/etc/sssd/sssd.conffile as
ad_hostname = testvm.example.com
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- adcli
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
