I have an AD domain-joined CENTOS 7 box - call it centosbox.
Whenever SSSD starts, it updates the DNS records, which is fine by me, except that it breaks the PTR records by making them point to just centosbox. instead of centosbox.my.domain.ext., which then breaks plenty of kerberos-related things, now that reverse DNS is broken.
Output of hostname on this box is:
#hostname -f
centosbox.my.domain.ext
How can I get it to register the correct value for the PTR records?
sssd.conf:
[sssd]
domains = my.domain.ext
config_file_version = 2
services = nss, pam, sudo
[domain/my.domain.ext]
ad_domain = my.domain.ext
krb5_realm = MY.DOMAIN.EXT
realmd_tags = joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
sudo_provider = ldap
ldap_uri = ldap://my.domain.ext
ldap_tls_cacert = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
ldap_group_search_base = DC=my,DC=domain,DC=ext
ldap_sudo_search_base = OU=sudoers,DC=my,DC=domain,DC=ext
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = CENTOSBOX$@MY.DOMAIN.EXT
[sudo]
krb5.conf:
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = true
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = MY.DOMAIN.EXT
[realms]
MY.DOMAIN.EXT = {
}
[domain_realm]
my.domain.ext = MY.DOMAIN.EXT
.my.domain.ext = MY.DOMAIN.EXT
Additional info:
The sssd ldap_child.log file contains a ton of this:
(Mon Jun 18 21:01:40 2018) [[sssd[ldap_child[2245]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
(Mon Jun 18 21:01:40 2018) [[sssd[ldap_child[2246]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
(Mon Jun 18 21:01:40 2018) [[sssd[ldap_child[2247]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
(Mon Jun 18 21:02:51 2018) [[sssd[ldap_child[2256]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
(Mon Jun 18 21:02:51 2018) [[sssd[ldap_child[2257]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
(Mon Jun 18 21:02:51 2018) [[sssd[ldap_child[2258]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
Ok, so that's blatantly false, because:
[root@centosbox sssd]#klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 centosbox$@MY.DOMAIN.EXT (arcfour-hmac)
4 centosbox$@MY.DOMAIN.EXT (aes128-cts-hmac-sha1-96)
4 centosbox$@MY.DOMAIN.EXT (aes256-cts-hmac-sha1-96)
4 host/centosbox.my.domain.ext@MY.DOMAIN.EXT (arcfour-hmac)
4 host/centosbox.my.domain.ext@MY.DOMAIN.EXT (aes128-cts-hmac-sha1-96)
4 host/centosbox.my.domain.ext@MY.DOMAIN.EXT (aes256-cts-hmac-sha1-96)
4 host/centosbox@MY.DOMAIN.EXT (arcfour-hmac)
4 host/centosbox@MY.DOMAIN.EXT (aes128-cts-hmac-sha1-96)
4 host/centosbox@MY.DOMAIN.EXT (aes256-cts-hmac-sha1-96)
What's the deal?
