Thinlinc on Debian 11 w/ SSSD - Server not found in Kerberos database

Hello,

I know this is not a Thinlinc issue, but it affects Thinlinc and all users.

Sometimes, the server is not found in the kerberos database and the users can not login anymore.
I need to restart manually SSSD to make it work again, but if I do not take actions, it fix itself 10-20 min later, but during this period, users can not login.

  • auth.log
Apr 27 09:01:38 tl-alpha-d11 sshd[1994799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.12  user=user1
Apr 27 09:01:38 tl-alpha-d11 sshd[1994799]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.12 user=user1
Apr 27 09:01:38 tl-alpha-d11 sshd[1994799]: pam_sss(sshd:auth): received for user user1: 4 (System error)
Apr 27 09:01:40 tl-alpha-d11 sshd[1994797]: error: PAM: Authentication failure for user1 from 10.1.1.12
  • krb5_child.log
Apr 27 09:01:38 tl-alpha-d11 krb5_child[1994800]: Server not found in Kerberos database
Apr 27 09:01:38 tl-alpha-d11 krb5_child[1994800]: Server not found in Kerberos database
Apr 27 09:02:11 tl-alpha-d11 krb5_child[1994890]: Server not found in Kerberos database
Apr 27 09:02:11 tl-alpha-d11 krb5_child[1994890]: Server not found in Kerberos database
Apr 27 09:02:15 tl-alpha-d11 krb5_child[1994901]: Server not found in Kerberos database
Apr 27 09:02:15 tl-alpha-d11 krb5_child[1994901]: Server not found in Kerberos database
Apr 27 09:02:23 tl-alpha-d11 krb5_child[1994911]: Server not found in Kerberos database
Apr 27 09:02:23 tl-alpha-d11 krb5_child[1994911]: Server not found in Kerberos databas
Apr 27 09:10:43 tl-alpha-d11 ldap_child[1997028]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'TL-ALPHA-D11$@COMPANY.LAN' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

I have a Thinlinc HA cluster with 2 nodes.
The DNS entries are static, and the VIP is 10.100.150.42, is it because that the VIP address is also associated with the alpha node ? (When the beta is master, it has the VIP associated to its DNS name)

superbrowser is the name typed on the client to connect.

image

I thought it was because of the dyndns_update in sssd.conf but after setting the value to False, it does not fix the issue.

This morning, it did same issue, authentication fail, restart sssd service, authentication succeed.

I will try to leave the domain, delete the krb5.keytab file, and then join the domain again.

Hello @s0p4L1n

I’ve not experienced these issues personally, and my knowledge in kerberos environments are somewhat limited, but I stumbled upon this which sounds a bit related

While this article talks about Red Hat, I believe it also holds true for other distributions.

You should be able to see in your logs if your host keytab has expired to verify if this is what is happening in your case.

Also, in Kerberos it is vital that your servers time & date are in sync, and that forward and reverse DNS is setup properly. Always start by verifying this.

Best regards,
Martin