1

I have a question about checking AD domain join status for Linux(CentOS 6) systems that use SSSD. For initial domain join I used winbind "net ads join -k ..." Obtained host keytab etc. When I issue "net ads testjoin", I get "Join OK".

After a month, SSSD/adcli renews machine password, and I get a new host keytab.

When I check the domain join status using same net ads testjoin command, I get an error:

kerberos_kinit_password MYHOSTNAME$@EXAMPLE.COM failed: Preauthentication failed

I still can obtain host ticket using new keytab and check the status using "net ads status" command. I can see "pwdLastSet: 131463365324203378" which matches the timestamp on the keytab. "getent passwd " is also successful; I still can login to servers.

Why is "net ads testjoin" giving error after host renews its machine password with AD?

Is there a better method to test the domain join status?

Thank you.

BBDG
  • 157
  • 1
  • 2
  • 7
  • Do you have multiple domain controllers? If so, how's replication between them? Does this ever clear up on its own? – Ryan Ries Aug 06 '17 at 16:38
  • There are two DCs in the domain. I am not sure about the replication part though. We have configuration management tools that check the domain join status using "net ads testjoin" and run domain join script if the return from check is failure. So in theory I would re-join and get a new keytab etc. – BBDG Aug 06 '17 at 22:17
  • I'm experiencing the same thing. Did you ever find out any more info about this? – Andrew Grasso Jul 15 '22 at 17:29

0 Answers0