SSSD user logins fail due to failed TGT validation
Issue
- Unable to login with SSSD configured using the AD provider
- Able to resolve AD Trust users in IDM but logins fail
- SSSD
/var/log/sssd/krb5_child
errors when attempting logins
[[sssd[krb5_child]]] [validate_tgt] (0x0020): TGT failed verification using key for [host/idmsystem.example.com@EXAMPLE.COM]
[[sssd[krb5_child]]] [get_and_save_tgt] (0x0020): [-1765328377][Server not found in Kerberos database]
[[sssd[krb5_child]]] [map_krb5_error] (0x0020): [-1765328377][Server not found in Kerberos database]
- Active Directory is rejecting trusted host principals:
[krb5_child] [get_and_save_tgt] (0x0020): [-1765328372][KDC policy rejects request]
[krb5_child] [map_krb5_error] (0x0020): [-1765328372][KDC policy rejects request]
Environment
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- SSSD
- Active Directory
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.