This makes sense. adcli update, with the Kerberos creds of the original
principal that's allowed to create new machine accounts in that OU in the
first place.
As it turns out, I must have powered up that VM just under the wire. (I
believe our AD policy is to lock machine accounts after 40
Spike, the machine will always have an account in the AD Realm.
So no, you do not have to leave and re-join. What DOES time out is the password.
sssd should renew the password periodcially (*) when it is running. As
you say you have had > 30 days of downtime
You can use the msktutil to reset a
> On 8 Oct 2018, at 16:16, Spike White wrote:
>
> All,
>
> I had a VM down for a great number of days. Apparently, it was not 30 days.
> Because even though it initially didn't correct do AD authentication, I fixed
> one misconfiguration in /etc/krb5.conf, restarted SSSD and it did.
>
>