SSSD & Host Keytab Renewal for AD Domain Join

General support questions
lnx
Posts: 1
Joined: 2017/05/16 19:06:18

SSSD & Host Keytab Renewal for AD Domain Join

Postby lnx » 2017/05/16 19:10:47

Hi every body,
We are in the process of converting to SSSD for our Centos 6.9 & 7.3 servers.
We have the latest available "sssd-1.13.3-56.el6.x86_64" &
"adcli-0.8.1-1.el6.x86_64" installed for our platform.
In a month or so most of our servers were dropped out of domain.
We followed several documents, including "Integrating Red Hat Enterprise Linux 6 with
Active Directory" and "Red Hat Enterprise Linux 7.3 Beta Windows Integration
Guide".

I don't recall seeing any references to what should be configured to enable automatic kerberos host keytab renewal
in those documents.
After the issue we started looking in to it and saw recommendations about running cron
jobs to renew host keytabs:
"https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/CRA43XHHDBPAENAYJ3INUWSCE2Q2NB5W/"

Other documentation however indicated this issue has been addressed after
sssd-1.13.3-8.el6:
"https://bugzilla.redhat.com/show_bug.cgi?id=1290761"

My question is do we still need to configure a cronjob to run "msktutil
--auto-update" and "kinit -k <servername>$"?

Is default value of "ad_maximum_machine_account_password_age = 30" sufficient
for auto renewals?
We checked with AD team and they say machine passwords rotate every 30 days.

Thank you

Chirpychirps77
Posts: 12
Joined: 2018/01/12 01:36:06

Re: SSSD & Host Keytab Renewal for AD Domain Join

Postby Chirpychirps77 » 2018/01/12 02:10:43

Hi,

Don't know if you eventually found your answer, but after joining AD with adcli and configuring your krb5.conf and sssd.conf, you don't need the cron job.