I updated my AD user account with new groups, and my Ubuntu 22.04 and 20.04 systems aren’t getting the new groups.
I have to clear the cache and restart SSSD to fix it.
Is there a more permanent solution?
Apr 01 13:01:34 krb5_child[1914548]: No credentials cache found (filename: /tmp/krb5cc_10715_XG6gbr)
Apr 01 13:01:25 krb5_child[1912964]: Preauthentication failed
Apr 01 13:01:25 krb5_child[1912964]: Preauthentication failed
Apr 01 13:01:25 krb5_child[1912964]: Preauthentication failed
Apr 01 10:15:53 sssd[780417]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Apr 01 10:15:53 sssd[780412]: ; TSIG error with server: tsig verify failure
Apr 01 10:15:53 sssd[780412]: ; TSIG error with server: tsig verify failure
Apr 01 10:15:53 sssd[780407]: ; TSIG error with server: tsig verify failure
Apr 01 10:15:53 sssd[780407]: ; TSIG error with server: tsig verify failure
That’s the error I was seeing on the journal.
In a case like this I’d leave and rejoin the domain on one of the systems (realm leave / realm join). IIRC there are also some tools to perform an “AD ping” as such, though I can only recall the older winbind versions off hand.
Minor = Server not found in Kerberos database.
If you check in AD, does the computer show up in the database? If not leaving / rejoining should fix this.
Group lookups are usually cached for a small period, but should update soon depending on cache timeout. IIRC it defaults to a few minutes.
I have to clear the cache and restart SSSD to fix it.
How are you clearing the cache, “sss_cache -E” ?
yes, they’re there
no. That didn’t work. I had to stop sssd, then rm /var/lib/sss/db/*
.
This kind of stuff can be hard to troubleshoot remotely, so if rejoining the domain didn’t help I’d point you here. Debugging and troubleshooting SSSD — SSSD documentation
The “Preauthentication failed” error may suggest the computer secret is wrong, if rejoining doesn’t solve that it’s a little strange. I’d also use a packet capture to verify all the connections to the domain controller work correctly - one specific port may be blocked.
You could also try disabling caching your sssd configuration.