I think this upgrade caused some share library to be moved/missing?
Mar 28 11:34:45 myhost sssd_be[735]: Starting up
Mar 28 11:34:48 myhost sssd[738]: /usr/lib/sssd/sssd/sssd_pac: error while loading shared libraries: libndr.so.3: cannot open s>
Mar 28 11:34:48 myhost sssd[739]: /usr/lib/sssd/sssd/sssd_pac: error while loading shared libraries: libndr.so.3: cannot open s>
Indeed the library error has now gone away and I can log in! What were the chances of this happening, it seems I upgraded while the packages were being updated and only received “half an update”…
Anyway, I managed to log in, but now I get this constant error:
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: disabled)
Active: active (running) since Thu 2024-03-28 11:51:09 GMT; 5min ago
Main PID: 493 (sssd)
Tasks: 5 (limit: 19126)
Memory: 105.1M (peak: 107.0M)
CPU: 618ms
CGroup: /system.slice/sssd.service
├─493 /usr/bin/sssd -i --logger=files
├─545 /usr/lib/sssd/sssd/sssd_be --domain ad.home.lan --uid 0 --gid 0 --logger=files
├─567 /usr/lib/sssd/sssd/sssd_nss --uid 0 --gid 0 --logger=files
├─568 /usr/lib/sssd/sssd/sssd_pam --uid 0 --gid 0 --logger=files
└─569 /usr/lib/sssd/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Mar 28 11:53:57 myhost ldap_child[4913]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:53:57 myhost ldap_child[4914]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:54:57 myhost krb5_child[5547]: Pre-authentication failed: No pkinit_anchors supplied
Mar 28 11:55:25 myhost ldap_child[7137]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:55:27 myhost ldap_child[7151]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:55:31 myhost ldap_child[7158]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:55:31 myhost ldap_child[7159]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:55:31 myhost ldap_child[7160]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:57:00 myhost ldap_child[7340]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Mar 28 11:57:02 myhost ldap_child[7345]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
I am worried that my user is now cached locally and at some point will expire and I will lose the abilty to log in (not sure how long sssd cache lasts).
Any idea what this error is and how to address it?
I found this resource online and followed the instructions to delete/re-add the computer to the domain. By completing the half-update to get the new sssd, then following these instruction (basically recreate the computer account in the domain) the problem is now solved.
Seems like somehow the half-update caused the kerberos keytab became corrupted?
Anyway for now I can log in and sssd has stopped logging this error…
Seems like I ran into a very fring situation but who knows, maybe this will help someone in the future…