TechQA.

SSSD "KDC has no support for encryption; Preauthentication failed"

1.9k views Asked by At

Have a problem where have SSSD installed on a remote desktop (running CentOS7) and occasionally have problems logging in (including via ssh) using my AD credentials. Ssh'ing in as root and checking the status of the sssd process, I see...

[root@airflowetl tmp]# systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-01-22 16:52:28 HST; 8 months 6 days ago
 Main PID: 122026 (sssd)
   CGroup: /system.slice/sssd.service
           ├─122026 /usr/sbin/sssd -i --logger=files
           ├─122027 /usr/libexec/sssd/sssd_be --domain co.local --uid 0 --gid 0 --logger=files
           ├─122028 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
           └─122029 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Sep 29 00:47:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 00:47:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 00:47:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 2
Sep 29 00:57:35 airflowetl.co.local [sssd[krb5_child[28812]]][28812]: KDC has no support for encryption type
Sep 29 00:57:49 airflowetl.co.local [sssd[krb5_child[28986]]][28986]: KDC has no support for encryption type
Sep 29 00:57:49 airflowetl.co.local [sssd[krb5_child[28986]]][28986]: KDC has no support for encryption type
Sep 29 00:58:20 airflowetl.co.local [sssd[krb5_child[29397]]][29397]: Preauthentication failed
Sep 29 00:58:20 airflowetl.co.local [sssd[krb5_child[29397]]][29397]: Preauthentication failed
Sep 29 00:58:20 airflowetl.co.local [sssd[krb5_child[29397]]][29397]: Preauthentication failed

From here I can su into my regular AD-linked account and usually some time later, I see...

[root@airflowetl tmp]# systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-01-22 16:52:28 HST; 8 months 6 days ago
 Main PID: 122026 (sssd)
   CGroup: /system.slice/sssd.service
           ├─122026 /usr/sbin/sssd -i --logger=files
           ├─122027 /usr/libexec/sssd/sssd_be --domain co.local --uid 0 --gid 0 --logger=files
           ├─122028 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
           └─122029 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Sep 29 01:02:15 airflowetl.co.local [sssd[krb5_child[32905]]][32905]: KDC has no support for encryption type
Sep 29 01:02:15 airflowetl.co.local [sssd[krb5_child[32905]]][32905]: KDC has no support for encryption type
Sep 29 01:02:15 airflowetl.co.local [sssd[krb5_child[32905]]][32905]: KDC has no support for encryption type
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 01:02:26 airflowetl.co.local sssd[be[co.local]][122027]: GSSAPI Error: Unspecified GSS failure.  Minor code may p...ype)
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 1
Sep 29 01:02:26 airflowetl.co.local sssd_be[122027]: GSSAPI client step 2

...and then trying to log into the remote desktop with my AD credentials do work (IDK if suing into my account from root has any correlation to this).

My /etc/krb5.conf file looks like...

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = CO.LOCAL
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

 CO.LOCAL = {
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 co.local = CO.LOCAL
 .co.local = CO.LOCAL

Does anyone know why this could be happening? Any further debugging suggestions (difficult to test since only seems to happen infrequently and I don't have much experience with SSSD to be able to force it to occur)?

sssd
Original Q&A
0

There are 0 answers

Related Questions in SSSD

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions