Hello,
I am getting this error in my log:
Sep 11 22:51:36 myhost.ad.domain.lan ldap_child[221671]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Reading about I found that this can happen if the key version number is desynchronized, which seems to be exactly my situation. Using the commands mentioned in that post:
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/myhost.ad.domain.lan@AD.DOMAIN.LAN
1 host/MYHOST@AD.DOMAIN.LAN
1 host/myhost.ad.domain.lan@AD.DOMAIN.LAN
1 host/MYHOST@AD.DOMAIN.LAN
1 host/myhost.ad.domain.lan@AD.DOMAIN.LAN
1 host/MYHOST@AD.DOMAIN.LAN
1 restrictedkrbhost/myhost.ad.domain.lan@AD.DOMAIN.LAN
1 restrictedkrbhost/MYHOST@AD.DOMAIN.LAN
1 restrictedkrbhost/myhost.ad.domain.lan@AD.DOMAIN.LAN
1 restrictedkrbhost/MYHOST@AD.DOMAIN.LAN
1 restrictedkrbhost/myhost.ad.domain.lan@AD.DOMAIN.LAN
1 restrictedkrbhost/MYHOST@AD.DOMAIN.LAN
1 MYHOST$@AD.DOMAIN.LAN
1 MYHOST$@AD.DOMAIN.LAN
1 MYHOST$@AD.DOMAIN.LAN
2 MYHOST$@AD.DOMAIN.LAN
2 MYHOST$@AD.DOMAIN.LAN
2 host/myhost.ad.domain.lan@AD.DOMAIN.LAN
2 host/myhost.ad.domain.lan@AD.DOMAIN.LAN
2 host/MYHOST@AD.DOMAIN.LAN
2 host/MYHOST@AD.DOMAIN.LAN
2 restrictedkrbhost/myhost.ad.domain.lan@AD.DOMAIN.LAN
2 restrictedkrbhost/myhost.ad.domain.lan@AD.DOMAIN.LAN
2 restrictedkrbhost/MYHOST@AD.DOMAIN.LAN
2 restrictedkrbhost/MYHOST@AD.DOMAIN.LAN
Clearly the latest version is 2 (running with -kt
args shows that it is 4 months old) so somehow the computer account key has not been updated in a while.
It seems like the version should be 3:
> kvno -S host MYHOST
host/MYHOST@: kvno = 3
Now, according to this post, the solution is to refresh the computer account key but the the instructions given are for IPA.
After searching for how this is done via sssd
it appears that the keytab would be updated using adcli update
as per, but I get:
root@myhost.ad.domain.lan /v/h/myuser@ad.domain.lan# kinit Administrator
Password for Administrator@AD.DOMAIN.LAN:
root@myhost.ad.domain.lan /v/h/myuser@ad.domain.lan [1]# klist
Ticket cache: KCM:0
Default principal: administrator@AD.DOMAIN.LAN
Valid starting Expires Service principal
11/09/24 21:54:18 12/09/24 07:54:18 krbtgt/AD.DOMAIN.LAN@AD.DOMAIN.LAN
renew until 18/09/24 21:54:15
root@myhost.ad.domain.lan /v/h/myuser@ad.domain.lan# adcli update -v
* Found realm in keytab: AD.DOMAIN.LAN
* Found service principal in keytab: host/myhost.ad.domain.lan
* Found host qualified name in keytab: myhost.ad.domain.lan
* Found service principal in keytab: host/myhost
* Found service principal in keytab: restrictedkrbhost/myhost.ad.domain.lan
* Found service principal in keytab: restrictedkrbhost/myhost
* Found computer name in keytab: myhost
* Calculated domain name from host fqdn: ad.domain.lan
* Using computer account name: myhost
* Using domain realm: ad.domain.lan
* Discovering domain controllers: _ldap._tcp.ad.domain.lan
* Sending NetLogon ping to domain controller: dc1.ad.domain.lan
* Received NetLogon info from: dc1.ad.domain.lan
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-eOVJzZ/krb5.d/adcli-krb5-conf-PinApq
! Couldn't authenticate as machine account: myhost: Preauthentication failed
adcli: couldn't connect to ad.domain.lan domain: Couldn't authenticate as machine account: myhost: Preauthentication failed
So, how can I sync up the key version number to fix this? Short of leaving/rejoining the domain, is there something else I could do?