0

I have some Alma 8 boxes which are integrated into Windows Active Directory (2012 R2) for user authentication using SSSD, using net ad (as opposed to realmd) for the domain join, for historic reasons. Everything works, with the exception of dynamic updating of the machine account name in AD when I try to perform a change of hostname.

The process I've been using to update the server hostname is as follows:

  1. Update the server hostname with hostnamectl
  2. Modify the ad_hostname field in /etc/sssd/sssd.conf
  3. Restart SSSD

The update is passed to the domain controllers and Dynamic DNS is updated successfully. The computer account in Active Directory adopts the new DNS record, but retains the old computer hostname as it's machine account name.

The contents of /etc/sssd.conf are as follows:

[sssd]
services = ssh, nss, pam
config_file_version = 2
domains = REDACTEDDOMAIN.LOCAL

[domain/REDACTEDDOMAIN.LOCAL]
ad_domain = redacteddomain.local
krb5_realm = REDACTEDDOMAIN.LOCAL

id_provider = ad
access_provider = ad
enumerate = false
cache_credentials = false
use_fully_qualified_names = False
ldap_user_ssh_public_key = streetAddress
ad_enable_gc = false
ad_gpo_access_control = disabled
ad_server = dca-dc1.redacteddomain.local,dca-dc2.redacteddomain.local

dyndns_update = true
dyndns_update_ptr = true
ad_hostname = servername.redacteddomain.local

[nss]
default_shell = /bin/bash
fallback_homedir = /home/%d/%u

[ssh]

The initial domain join is handled by a dedicated service account, and the machine account has full permissions on the domain controller to update itself from there.

At the moment I’m not entirely sure whether there is an actual issue and the machine name change is not being processed as expected, or whether my assumptions/process is wrong, and I’m missing a step (for example should I be performing a full leave and rejoin instead?)

Can anybody advise as to whether I'm using the correct process, and if the above should be sufficent for the domain controller to update the computer name in AD, where I could go next with troubleshooting?

Thanks.

motorleague
  • 53
  • 7

1 Answers1

0

I think you need to (assuming your AD admin account has enough privileges) and as the root account :

  1. copy your sssd.conf to a temporary file.
  2. set hostname back to original (and reset ad_hostname in sssd.conf).
  3. realm leave --remove --user (this removes the old hostname from AD).
  4. Change hostname to new name. Make sure /etc/hosts is updated. Ideally reboot and check hostname returns correct name.
  5. realm discover .
  6. realm join -U .
  7. copy saved sssd.conf to /etc/sssd/sssd.conf (as the AD join will have overwritten it).
  8. restart SSSD. Optional reboot to make sure everything comes up OK.
Tim C
  • 1