Kerberos Auth Problem after some hours/days

[j.schulz 0]

Hi,

 

we've used the rejoin-domain.sh script to add era to our ads, but after some time i am not sure how long it takes but after 1-3 days i cannot authenticate via ads account anymore, then when i rerun the rejoin-domain.sh it will work again so it must be something kerberos related.

 

So i tried to run kinit in shell and i found out that the domain has to be written in UPPERCASE... administrator@HAAN.LOCAL.

It seems that the system tried kerberos auth with haan.local instead of HAAN.LOCAL

 

I already checked krb5.conf but i cannot see something i should change:

[libdefaults]
        default_realm = HAAN.LOCAL
        ticket_lifetime = 24h
        forwardable = yes

[realms]
HAAN.LOCAL = {
        kdc = vs-ha-dc2.HAAN.LOCAL
}

[domain_realm]
        .haan.local = HAAN.LOCAL

The only thing i tried to change was vs-ha-dc2.haan.local to HAAN.LOCAL but i think that domain_realm (.haan.local = HAAN.LOCAL) will do this?

 

Can someone help please?

 

I could help myself with a dirty way, i created a keytab and use a cronjob each 12 hours and on reboot:

@reboot kinit administrator@HAAN.LOCAL -k -t /root/administrator.keytab >/dev/null 2>&1
* */12 * * * kinit administrator@HAAN.LOCAL -k -t /root/administrator.keytab >/dev/null 2>&1

I am not happy with this but i don't know what to check or change else.

 

 

Regards Jens

Edited July 24, 2016 by j.schulz

[MartinK 378]

My guess is that this is SELinux problem. Once you executed rejoin-domain.sh script (which indirectly executes kinit) your user became owner of kerberos tickets database. That is most probably reason why SERVER is not able to overtake it and update kerberos ticket for your domain (I guess logins works few days because of your time-to-live configuration of tickets, it can be seen using command klist).

 

To be sure it is this problem, once it occurs switch SELinux to permissive mode using command:

setenforce 0

and try to log in into domain from Webconsole. In case it will work you can re-neable SELinux using setenforce 1 and proceed with workaround:

 

Workaround for this issue may be running command kdestroy after re-joining domain. Command should destroy all tickets which will enable ERA to request it's own.