I thought that it was a machine account password expiration issue, but running
adcli update does not help. I tried changing the Group Policy for machine password expiration, but that did not help either.
Centos 7.4.1708
Samba 4.6.2
sssd-krb5-1.15.2
SSSD 1.15.2-50
realmd-0.16.1-9
The error message on the client side is
Code: Select all
"\\cheetoes is not accessible. You might not have permissions to use this network resource. Contact the administrator of this server to find out if you have access permissions.
Login Failure: The target account name is incorrect"
Code: Select all
[2018/05/09 12:03:41.622878, 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
kerberos_kinit_password CHEETOES$@HYMESRUZICKA.ORG failed: Preauthentication failed
[2018/05/09 12:03:41.622923, 1] ../source3/libads/sasl.c:821(ads_sasl_spnego_bind)
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/true-companion.hymesruzicka.org with user[CHEETOES$] realm=[HYMESRUZICKA.ORG]: Preauthentication failed
Code: Select all
[2018/05/09 12:06:58.259646, 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/CHEETOES.hymesruzicka.org@HYMESRUZICKA.ORG not found in keytab (ticket kvno 3)]
[2018/05/09 12:06:59.099902, 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/CHEETOES.hymesruzicka.org@HYMESRUZICKA.ORG not found in keytab (ticket kvno 3)]
I'm particularly puzzled why rejoining works, but only for a while.