[SSSD-users] Re: realm re-join....
This makes sense. adcli update, with the Kerberos creds of the original principal that's allowed to create new machine accounts in that OU in the first place. As it turns out, I must have powered up that VM just under the wire. (I believe our AD policy is to lock machine accounts after 40 days.) So once I powered it up, I had to come in as root and do a 'systemctl restart sssd', then all was good. And still is good. I didn't have to re-joint or update machine password after all. Spike On Tue, Oct 9, 2018 at 3:33 AM John Hearns wrote: > Spike, the machine will always have an account in the AD Realm. > So no, you do not have to leave and re-join. What DOES time out is the > password. > sssd should renew the password periodcially (*) when it is running. As > you say you have had > 30 days of downtime > > You can use the msktutil to reset a password > https://fuhm.net/software/msktutil/manpage.html#PASSWORD EXPIRY > > (*) you can change this periddicity in sssd - and can turn it down to > a very shirt time, for debugging. > One of the parameters is also 'how soon after startup should I look at > the age of the password > > > > > > > > > > On Mon, 8 Oct 2018 at 15:16, Spike White wrote: > > > > All, > > > > I had a VM down for a great number of days. Apparently, it was not 30 > days. Because even though it initially didn't correct do AD > authentication, I fixed one misconfiguration in /etc/krb5.conf, restarted > SSSD and it did. > > > > But that raises a bigger question. If it's been >30 days and my machine > account is no longer valid, how do I rejoin the domain? > > > > Is it: > >realm leave (no flags) > >readlm join (with all my usual flags that I use on the initial realm > join) > > > > Spike > > ___ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: realm re-join....
Spike, the machine will always have an account in the AD Realm. So no, you do not have to leave and re-join. What DOES time out is the password. sssd should renew the password periodcially (*) when it is running. As you say you have had > 30 days of downtime You can use the msktutil to reset a password https://fuhm.net/software/msktutil/manpage.html#PASSWORD EXPIRY (*) you can change this periddicity in sssd - and can turn it down to a very shirt time, for debugging. One of the parameters is also 'how soon after startup should I look at the age of the password On Mon, 8 Oct 2018 at 15:16, Spike White wrote: > > All, > > I had a VM down for a great number of days. Apparently, it was not 30 days. > Because even though it initially didn't correct do AD authentication, I fixed > one misconfiguration in /etc/krb5.conf, restarted SSSD and it did. > > But that raises a bigger question. If it's been >30 days and my machine > account is no longer valid, how do I rejoin the domain? > > Is it: >realm leave (no flags) >readlm join (with all my usual flags that I use on the initial realm join) > > Spike > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: realm re-join....
> On 8 Oct 2018, at 16:16, Spike White wrote: > > All, > > I had a VM down for a great number of days. Apparently, it was not 30 days. > Because even though it initially didn't correct do AD authentication, I fixed > one misconfiguration in /etc/krb5.conf, restarted SSSD and it did. > > But that raises a bigger question. If it's been >30 days and my machine > account is no longer valid, how do I rejoin the domain? > > Is it: >realm leave (no flags) >readlm join (with all my usual flags that I use on the initial realm join) > Wouldn’t it be safer to just use adcli update? Looking at the man page, it appears you can also kinit as another user (since your machine credentials are probably gone now) and point adcli there with —login-ccache I don’t know realmd into too many details, but I wonder if realm leave && realm join would rewrite any config changes you do. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org