Thinlinc on Debian 11 w/ SSSD - Server not found in Kerberos database

s0p4L1n · 27 April 2022 09:02

Hello,

I know this is not a Thinlinc issue, but it affects Thinlinc and all users.

Sometimes, the server is not found in the kerberos database and the users can not login anymore.
I need to restart manually SSSD to make it work again, but if I do not take actions, it fix itself 10-20 min later, but during this period, users can not login.

auth.log

Apr 27 09:01:38 tl-alpha-d11 sshd[1994799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.12  user=user1
Apr 27 09:01:38 tl-alpha-d11 sshd[1994799]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.12 user=user1
Apr 27 09:01:38 tl-alpha-d11 sshd[1994799]: pam_sss(sshd:auth): received for user user1: 4 (System error)
Apr 27 09:01:40 tl-alpha-d11 sshd[1994797]: error: PAM: Authentication failure for user1 from 10.1.1.12

krb5_child.log

Apr 27 09:01:38 tl-alpha-d11 krb5_child[1994800]: Server not found in Kerberos database
Apr 27 09:01:38 tl-alpha-d11 krb5_child[1994800]: Server not found in Kerberos database
Apr 27 09:02:11 tl-alpha-d11 krb5_child[1994890]: Server not found in Kerberos database
Apr 27 09:02:11 tl-alpha-d11 krb5_child[1994890]: Server not found in Kerberos database
Apr 27 09:02:15 tl-alpha-d11 krb5_child[1994901]: Server not found in Kerberos database
Apr 27 09:02:15 tl-alpha-d11 krb5_child[1994901]: Server not found in Kerberos database
Apr 27 09:02:23 tl-alpha-d11 krb5_child[1994911]: Server not found in Kerberos database
Apr 27 09:02:23 tl-alpha-d11 krb5_child[1994911]: Server not found in Kerberos databas
Apr 27 09:10:43 tl-alpha-d11 ldap_child[1997028]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'TL-ALPHA-D11$@COMPANY.LAN' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

I have a Thinlinc HA cluster with 2 nodes.
The DNS entries are static, and the VIP is 10.100.150.42, is it because that the VIP address is also associated with the alpha node ? (When the beta is master, it has the VIP associated to its DNS name)

superbrowser is the name typed on the client to connect.

s0p4L1n · 28 April 2022 11:47

I thought it was because of the dyndns_update in sssd.conf but after setting the value to False, it does not fix the issue.

This morning, it did same issue, authentication fail, restart sssd service, authentication succeed.

I will try to leave the domain, delete the krb5.keytab file, and then join the domain again.

martin · 29 April 2022 06:53

Hello @s0p4L1n

I’ve not experienced these issues personally, and my knowledge in kerberos environments are somewhat limited, but I stumbled upon this which sounds a bit related

While this article talks about Red Hat, I believe it also holds true for other distributions.

You should be able to see in your logs if your host keytab has expired to verify if this is what is happening in your case.

Also, in Kerberos it is vital that your servers time & date are in sync, and that forward and reverse DNS is setup properly. Always start by verifying this.

Best regards,
Martin

Topic		Replies	Views
Issues while creating thinlinc sessions ThinLinc thinlinc	4	540	24 January 2023
ThinLinc server not working correctly on Ubuntu 23.10 after update ThinLinc linux , tlserver	11	202	8 March 2024
Thinlinc Server Installation Problem ThinLinc tlserver , mint , python	2	726	6 October 2021
Desktop client doesn't handle expired password prompt ThinLinc tlclient	8	150	2 February 2024
Thinlinc fails due to fips mode ThinLinc linux , tlserver , fips	6	950	18 July 2022

Thinlinc on Debian 11 w/ SSSD - Server not found in Kerberos database

Related Topics