I'm trying to establish reliable smart card authentication for my Redhat 9.x clients that are joined to Active Directory. At first, the setup worked fine, but we ran into an issue with the keytab entries after the initial password rotation. When the machines are freshly joined, the keytab has both upper and lower case entries for the client, but after refreshing, it only shows the upper case ticket. This leads to authentication failures indicated by error logs stating 'credential verification failed: Cannot find key for host/COMPUTER$@REALM kvno x in keytab.' I'm currently using 'net' to join the machines instead of 'realm', which might be part of the issue. I'm seeking advice on how to handle this, or if there's a change to sssd.conf that could help without having to switch to 'realm'. I have a test environment where I haven't seen this problem yet, so I'm curious about simulating a password refresh to replicate the situation. Any insights would be greatly appreciated!
2 Answers
Yeah, most people have moved away from using 'net join' due to its quirks. You might also want to consider automating the process entirely with adcli instead, which works great with scripting and can keep your configs in check. It's definitely worth looking into using certificate-based domain joins, as it simplifies the whole process by eliminating the need for admin credentials each time. Think about using Ansible to handle this during server provisioning—it could save you a lot of headaches!
It sounds like you're dealing with an issue related to how Active Directory handles case sensitivity. The duplicate SPNs in upper and lower case are likely conflicting since Windows is generally case insensitive. I believe that recent updates in Samba have tried to resolve some of these duplicates, but if you're using 'net ads join', it might not function optimally with SSSD. My recommendation would be to consider switching to using 'realm join' instead, as it can simplify the process, especially for keytab file management. Also, automating your setup using Ansible can help you maintain consistency and reduce configuration drift as you evolve your deployment.
I agree! Using realm can smooth out many of these issues, especially regarding the keytab. If possible, explore creating templates for your configuration files as well, so you can easily manage changes.
That's a solid approach! Simplifying with automation not only saves time but also helps in scaling your infrastructure efficiently.