Has anyone here seen their Linux servers removed from AD domain due to expired machine credentials? We are using AD authentication with sssd-1.13.3-56.el6 (Centos 6)

Per "https://bugzilla.redhat.com/show_bug.cgi?id=1290761", sssd should be able to auto renew host credentials. There is no mention of any extra configuration steps that should be taken while joining the AD per related the Red Hat documentation ("Integrating Red Hat Enterprise Linux 6 with Active Directory").

Per my search, some do run cron jobs to renew host credentials "https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/CRA43XHHDBPAENAYJ3INUWSCE2Q2NB5W/"

SSSD Kerberos AD Centos troubleshooting

Do we need a cron job to run: "msktutil --auto-update" and "kinit -k $"?

Or sssd should be able to handle this?

Do you set "ad_maximum_machine_account_password_age" in sssd.conf or leave it out for default 30 days.


UPDATE: @jhrozek , Thank you for your comment.
I am still seeing same issue with my configuration.
Looks like ticket did not get renewed on May 28th and server dropped out of domain:

    # net ads testjoin   
kerberos_kinit_password I-12345CV3EABF$@STAGE.example.com failed: Preauthentication failed     
kerberos_kinit_password I-12345CV3EABF$@STAGE.example.com failed: Preauthentication failed     
Join to domain is not valid: Logon failure    

Keytab status:

# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   2 04/28/17 02:57:54 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com
   2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com
   2 04/28/17 02:57:54 host/I-12345CV3EABF@STAGE.example.com
   2 04/28/17 02:57:55 host/I-12345CV3EABF@STAGE.example.com
   2 04/28/17 02:57:55 host/I-12345CV3EABF@STAGE.example.com
   2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
   2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
   2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
   2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
   2 04/28/17 02:57:55 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 I-12345CV3EABF$@STAGE.example.com
   3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   3 05/28/17 14:01:39 host/i-12345cv3eabf.stage.example.com@STAGE.example.com
   3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
   3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
   3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
   3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com
   3 05/28/17 14:01:39 host/I-12345CV3EABF@STAGE.example.com

Does this look like it renewed a ticket on 5/28 but somehow got server account deleted?

SSSD & ADCLI packages installed:

# rpm -qa | grep sssd

# rpm -qa | grep adcli

And, sssd.conf:

domains = stage.example.com
services = nss, pam, ssh
config_file_version = 2
default_domain_suffix = main.example.com
full_name_format = %1$s@%2$s

re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))

id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
cache_credentials = false
ad_domain = stage.example.com
ldap_id_mapping = true
krb5_realm = STAGE.example.com
default_shell = /bin/bash
ad_gpo_access_control = permissive
override_homedir = /home/admin/%u

And krb5.conf:


default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = STAGE.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = true

clockskew = true
proxiable = true


  kdc =
  kdc =

  admin_server =
  admin_server =

 stage.example.com = STAGE.EXAMPLE.COM
 .stage.example.com = STAGE.EXAMPLE.COM

Any suggestions to troubleshoot this?

  • 147
  • 1
  • 2
  • 7
  • Are you sure your Linux servers were removed from AD domain **due to expired machine credentials?** It shouldn't happen – Ra_ Jul 31 '19 at 06:49
  • I can't speak for the OP, but we're having the same problem and the server logs clearly indicate that the problem is a still mysterious inability to renew Kerberos tickets. This is on Ubuntu 18.04 machines. – pgoetz Sep 13 '19 at 13:48

5 Answers5


This should happen automatically, but you need to install adcli. sssd just forks and execs adcli in order to perform the update.

  • 1,320
  • 6
  • 5
  • I found I needed `adcli update --domain=MY.DOMAIN` as without the qualifier it complained it couldn't derive the domain name. – roaima Jan 22 '19 at 13:06

I just figured out what my problem was after having this issue for months.

I didn't name my server server.my.domain.com and instead it was just server. After changing the name, leaving and rejoining the realm, adcli update runs without a problem.

  • 121
  • 1

You may also want to configure your AD server(s) as the source of NTP time, because if your client machines' clocks get too far out of sync they will fail to authenticate/renew and this may happen a lot more often now that everything is virtualized without their own RTC hardware.

  • 756
  • 6
  • 10

Also, make sure your krb5.conf sets the ticket_lifetime to the correct value. I had problems with this and it wound up being because I had ticket lifetime set to the krb5.conf default of 24 hours, while the Default Domain Policy TGT lifetime is configured for 10 hours by default. Setting ticket_lifetime = 10h was the ticket for me.


I have the same issue, I ended up adding the PTR record in DNS. I have identified this by:

msktutil --auto-update -verbose 

My environment contains the SSSD with Samba.

  • 2,886
  • 2
  • 14
  • 25