Unable to create GSSAPI-encrypted LDAP connection

General support questions
Post Reply
Jcenos7
Posts: 33
Joined: 2021/02/09 22:06:11

Unable to create GSSAPI-encrypted LDAP connection

Post by Jcenos7 » 2023/01/20 01:02:19

Team,

I am getting following message, after joined server in domain, still I am unable to login to server using my AD account. Please help

Jan 20 11:25:10 non-prod sssd[ldap_child[32592]][32592]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client's credentials have been revoked. Unable to create GSSAPI-encrypted LDAP connection.

FYI- CentOS - 7.9

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Unable to create GSSAPI-encrypted LDAP connection

Post by Whoever » 2023/01/20 02:27:14

Jcenos7 wrote:
2023/01/20 01:02:19
Client's credentials have been revoked.
Is the problem with your AD server?

Jcenos7
Posts: 33
Joined: 2021/02/09 22:06:11

Re: Unable to create GSSAPI-encrypted LDAP connection

Post by Jcenos7 » 2023/01/20 06:31:25

Problem with Linux server, I am unable to login to the server using AD account, and I can see that message in sssd service status, systemctl status sssd.service

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Unable to create GSSAPI-encrypted LDAP connection

Post by Whoever » 2023/01/21 02:48:19

Jcenos7 wrote:
2023/01/20 06:31:25
Problem with Linux server, I am unable to login to the server using AD account, and I can see that message in sssd service status, systemctl status sssd.service
I am not familiar with AD, but doesn't it have machine accounts? My reading of the message is that the machine account on the AD server is the problem.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Unable to create GSSAPI-encrypted LDAP connection

Post by TrevorH » 2023/01/21 11:21:50

I suspect your kerberos ticket is expired. Make sure your date/time is correct on both machines. Don't use it myself but I think the util needed to renew/replace it is kinit(?).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Jcenos7
Posts: 33
Joined: 2021/02/09 22:06:11

Re: Unable to create GSSAPI-encrypted LDAP connection

Post by Jcenos7 » 2023/02/03 03:19:13

Issue resolved, after removed computer from OU in AD and re-joined server in domain, that resolved the issue.

RHEL 7/8

1. Take a backup of existing /etc/sssd/sssd.conf file:

Raw
# cp /etc/sssd/sssd.conf /tmp/sssd.bak
2. Then remove the system from domain using realm command as:

Raw
# realm leave
3. Make sure the old Keytab is deleted:

Raw
# rm /etc/krb5.keytab

4. Removed computer OU from AD server

5. Join the system to AD domain again.

Thank you all for your support.

Post Reply