Categories
Linux

SSSD – Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

Errors Seen

The message Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. is seen in your syslog (/var/log/messages or similar).

The message [[sssd[ldap_child[PIDXX]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed is seen in /var/log/sssd/ldap_child.log.

Any domain-based logins fail with Authentication service cannot retrieve authentication info (using PAM).

Why

The krb5.keytab is most likely corrupt. This could be due to no disk space left when writing to it or other IO errors.

As any solutions to fix the keytab will try to actually read and try to fix the incorrect data, they will mostly fail as the file is too damaged.

Solution

There are many ways to recreate the krb5.keytab and they will differ depending on your setup. RESEARCH THIS BEFORE YOU GO AHEAD as you might have to recreate the entire server in the domain, depending on its function.

As we were using the keytab for normal sign-ins and nothing else, the best way for us was to recreate it all over.

Just rejoining the domain did not work as it attempted to write to the already available keytab, so we had to remove the krb5.keytab entirely and then join the domain again.

Test with using <code>id <adusername></code>.

Leave a Reply

Your email address will not be published. Required fields are marked *