Authentication fails for IPA or AD accounts due to KCM when SSSD is running

Solution Verified - Updated -

Issue

  • Getting error kinit: Connection refused while getting default ccache while performing "kinit admin".
  • AD user login fails with sss_child_krb5_trace_cb failed: "Matching credential not found error in krb5_child.log
  • AD user cannot connect - [create_ccache] (0x0020): 1036: [-1765328188][Internal credentials cache error]
  • Unable to login with any of the AD users (domain accounts)
    Joined AD with SSSD - Cannot Login as AD user to the system - permission denied
  • AD user login fail with 4 (system error) under /var/log/secure
  • kinit fails with "kinit: Connection refused while getting default ccache"
  • krb5_child logs shows errors like Matching credential not found and Connection refused
  • Any of the below errors could be seen in /var/log/sssd/krb5_child.log:
[krb5_child[12345]] [create_ccache] (0x0020): 1027: [-1765328188][Internal credentials cache error] 

[krb5_child[12345]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [111][Connection refused]

[[sssd[krb5_child[12345]]]] [create_ccache] (0x0020): 998: [122][Disk quota exceeded]

[krb5_child[12345]] [create_ccache] (0x0020): 991: [-1750600181][No KCM server found]

Environment

  • Red Hat Enterprise Linux 7.4 and Later
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
    • sssd
    • sssd-kcm
  • Microsoft Windows Active Directory

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content