1

I have set up some RHEL9 servers to authenticate through the AD for the domain EXAMPLE.XYZ; this is done via Ansible playbooks, and so far all works well. (It's the same setup as this previous question: Joining domain via Ansible returns error "Already joined to this domain" while via shell is OK)

However, every few minutes, on each host (let's say on myhost42) there are bursts of error messages, several times per second, in /var/log/messages:

Feb 19 15:23:32 myhost42 ldap_child[1647375]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client '[email protected]' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

This is the /etc/krb5.conf file:

includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = true default_realm = EXAMPLE.XYZ default_ccache_name = KEYRING:persistent:%{uid} udp_preference_limit = 0 [realms] [domain_realm]

What can be done to troubleshoot the issue?

EDIT #1: Based on a comment below and my researches, it might be due to a missing association between the AD domain and the Kerberos realm and/or missing entries in the Kerberos keytab.
However, I'm using the same configuration as another server farm, which works correctly.
This is the output of klist -kt /etc/krb5.keytab:

Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 3 02/25/2025 15:53:24 [email protected] 3 02/25/2025 15:53:24 [email protected] 3 02/25/2025 15:53:24 host/[email protected] 3 02/25/2025 15:53:24 host/[email protected] 3 02/25/2025 15:53:24 host/[email protected] 3 02/25/2025 15:53:24 host/[email protected] 3 02/25/2025 15:53:24 RestrictedKrbHost/[email protected] 3 02/25/2025 15:53:24 RestrictedKrbHost/[email protected] 3 02/25/2025 15:53:24 RestrictedKrbHost/[email protected] 3 02/25/2025 15:53:24 RestrictedKrbHost/[email protected]
Improve this question
1
  • You need to create a host entry - host/[email protected] in the kerberos database, then export the key into the hosts /etc/krb5.keytab file. At the moment, it is not clear if you have completed any of this. Commented Feb 20 at 19:33

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.