SSSD is picking the wrong principal for TGT verification

Issue

SSSD is not taking correct host principal for validating the kerberos ticket.

(2025-01-17  9:56:20): [krb5_child[83520]] [tgt_req_child] (0x1000): [RID#10] Attempting to get a TGT
(2025-01-17  9:56:20): [krb5_child[83520]] [get_and_save_tgt] (0x0400): [RID#10] Attempting kinit for realm [RJF.COM]
(2025-01-17  9:56:20): [krb5_child[83520]] [sss_child_krb5_trace_cb] (0x4000): [RID#10] [83520] 1737125780.461602: Getting initial credentials for test1\@TEST.NET@TEST.NET
...

$ cat sos_commands/krb5/klist_-ket_.etc.krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
 110 01/17/25 09:03:05 EXAMPLE$@TEST.NET (aes128-cts-hmac-sha1-96)
 110 01/17/25 09:03:05 EXAMPLE$@TEST.NET (aes256-cts-hmac-sha1-96)
 110 01/17/25 09:03:05 host/EXAMPLE$@TEST.NET (aes128-cts-hmac-sha1-96)

Environment

RHEL8.10
SSSD

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Select Your Language

SSSD is picking the wrong principal for TGT verification

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links