使用 SSSD 自动更新 Kerberos 主机 Keytab

这里有没有人见过他们的 Linux 服务器由于机器凭证过期而被从 AD 域中删除？我们正在使用 sssd-1.13.3-56.el6 (Centos 6) 进行 AD 身份验证

每https://bugzilla.redhat.com/show_bug.cgi?id=1290761“，sssd 应该能够自动更新主机凭据。根据相关的 Red Hat 文档（“将 Red Hat Enterprise Linux 6 与 Active Directory 集成”），没有提及加入 AD 时应采取的任何额外配置步骤。

根据我的搜索，有些确实会运行 cron 作业来更新主机凭据”https://lists.fedorahosted.org/archives/list/[电子邮件保护]/线程/CRA43XHHDBPAENAYJ3INUWSCE2Q2NB5W/“

SSSD Kerberos AD Centos 故障排除

我们是否需要运行一个 cron 作业：“msktutil --auto-update”和“kinit -k $”？

或者 sssd 应该能够处理这个问题？

您是否在 sssd.conf 中设置了“ad_maximum_machine_account_password_age”或者将其保留为默认的 30 天。

干杯，

更新：@jhrozek，感谢您的评论。
我的配置仍然出现同样的问题。
看来票证在 5 月 28 日没有续订，服务器退出了域：

    # net ads testjoin   
kerberos_kinit_password [email protected] failed: Preauthentication failed     
kerberos_kinit_password [email protected] failed: Preauthentication failed     
Join to domain is not valid: Logon failure    

Keytab 状态：

# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:54 host/[email protected]
   2 04/28/17 02:57:55 host/[email protected]
   2 04/28/17 02:57:55 host/[email protected]
   2 04/28/17 02:57:55 [email protected]
   2 04/28/17 02:57:55 [email protected]
   2 04/28/17 02:57:55 [email protected]
   2 04/28/17 02:57:55 [email protected]
   2 04/28/17 02:57:55 [email protected]
   3 05/28/17 14:01:39 [email protected]
   3 05/28/17 14:01:39 [email protected]
   3 05/28/17 14:01:39 [email protected]
   3 05/28/17 14:01:39 [email protected]
   3 05/28/17 14:01:39 [email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]
   3 05/28/17 14:01:39 host/[email protected]

这看起来像是在 5 月 28 日更新了票，但不知何故服务器帐户被删除了？

已安装 SSSD 和 ADCLI 包：

# rpm -qa | grep sssd
sssd-client-1.13.3-56.el6.x86_64
sssd-ipa-1.13.3-56.el6.x86_64
sssd-proxy-1.13.3-56.el6.x86_64
python-sssdconfig-1.13.3-56.el6.noarch
sssd-common-pac-1.13.3-56.el6.x86_64
sssd-krb5-1.13.3-56.el6.x86_64
sssd-krb5-common-1.13.3-56.el6.x86_64
sssd-ldap-1.13.3-56.el6.x86_64
sssd-common-1.13.3-56.el6.x86_64
sssd-ad-1.13.3-56.el6.x86_64
sssd-1.13.3-56.el6.x86_64


# rpm -qa | grep adcli
adcli-0.8.1-1.el6.x86_64

并且，sssd.conf：

[sssd]
domains = stage.example.com
services = nss, pam, ssh
config_file_version = 2
default_domain_suffix = main.example.com
full_name_format = %1$s@%2$s

re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))

[domain/stage.example.com
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
cache_credentials = false
ad_domain = stage.example.com
ldap_id_mapping = true
krb5_realm = STAGE.example.com
default_shell = /bin/bash
ad_gpo_access_control = permissive
override_homedir = /home/admin/%u

和 krb5.conf：

[logging]


default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = STAGE.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = true


clockskew = true
proxiable = true

[realms]

 STAGE.EXAMPLE.COM = {
  kdc = 172.31.1.252
  kdc = 172.31.0.252

  admin_server = 172.31.1.252
  admin_server = 172.31.0.252
 }

[domain_realm]
 stage.example.com = STAGE.EXAMPLE.COM
 .stage.example.com = STAGE.EXAMPLE.COM

有什么建议可以解决这个问题吗？