j.schulz 0 Posted July 24, 2016 Share Posted July 24, 2016 (edited) Hi, we've used the rejoin-domain.sh script to add era to our ads, but after some time i am not sure how long it takes but after 1-3 days i cannot authenticate via ads account anymore, then when i rerun the rejoin-domain.sh it will work again so it must be something kerberos related. So i tried to run kinit in shell and i found out that the domain has to be written in UPPERCASE... administrator@HAAN.LOCAL. It seems that the system tried kerberos auth with haan.local instead of HAAN.LOCAL I already checked krb5.conf but i cannot see something i should change: [libdefaults] default_realm = HAAN.LOCAL ticket_lifetime = 24h forwardable = yes [realms] HAAN.LOCAL = { kdc = vs-ha-dc2.HAAN.LOCAL } [domain_realm] .haan.local = HAAN.LOCAL The only thing i tried to change was vs-ha-dc2.haan.local to HAAN.LOCAL but i think that domain_realm (.haan.local = HAAN.LOCAL) will do this? Can someone help please? I could help myself with a dirty way, i created a keytab and use a cronjob each 12 hours and on reboot: @reboot kinit administrator@HAAN.LOCAL -k -t /root/administrator.keytab >/dev/null 2>&1 * */12 * * * kinit administrator@HAAN.LOCAL -k -t /root/administrator.keytab >/dev/null 2>&1 I am not happy with this but i don't know what to check or change else. Regards Jens Edited July 24, 2016 by j.schulz Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted July 24, 2016 ESET Staff Share Posted July 24, 2016 My guess is that this is SELinux problem. Once you executed rejoin-domain.sh script (which indirectly executes kinit) your user became owner of kerberos tickets database. That is most probably reason why SERVER is not able to overtake it and update kerberos ticket for your domain (I guess logins works few days because of your time-to-live configuration of tickets, it can be seen using command klist). To be sure it is this problem, once it occurs switch SELinux to permissive mode using command: setenforce 0 and try to log in into domain from Webconsole. In case it will work you can re-neable SELinux using setenforce 1 and proceed with workaround: Workaround for this issue may be running command kdestroy after re-joining domain. Command should destroy all tickets which will enable ERA to request it's own. Link to comment Share on other sites More sharing options...
Recommended Posts