Hi,
I have a problem with hosts randomly getting login error or disconnecting from a domain - I am not sure how to read the commands output. When error occurs I am not able to login to hosts with any AD user. Simple adinfo shows that domain is connected (Running in connected mode) and totally fine. However adinfo --diag reveals that there is an error:
===============System Health===================
HealthStatus: Unhealthy
SubSystem: PwdVerify
ErrCount: 19
LastSet: Fri Aug 11 07:38:35 2017
LastReset: Never
LastCode: -1765328340
LastReason: rd_req:Key version is not available
LastOperation: Verify credentials
Additioanlly in binding table there is disconnected status:
Binding Table
$=>adhost02.mydomain.com(MYDOMAIN.COM) disconnected
MYDOMAIN.COM=>adhost02.mydomain.com(MYDOMAIN.COM) disconnected
Is that the same as disconnected from a domain?
As in error it shows that the key version is not available I was checking the keytab (klist -k -t -K krb5.keytab) but it shows that last key version is the same as one specified in adinfo --diag. Additionally kvno principal returns the same key version. However the error might have something to do with keys renewal - looking at the occurance times.
When trying to login the return in /var/log/messages is:
fd:27 PAMVerifyPassword2 > audit User 'username' not authenticated: rd_req:Key version is not available
Aug 16 15:17:26 host01 adclient[36738]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|101|PAM authentication denied|5|user=username(type:ad,username@MYDOMAIN.COM) pid=6746 utc=1502896646293 centrifyEventID=24101 DASessID=N/A DAInst=N/A status=DENIED service=sshd tty=ssh client=10.0.1.119 reason=Authentication failure
su username won't work, however kinit username works fine
Additionaly in messages I can also see :
Aug 13 03:45:04 usnj1cddn01 adclient[36738]: INFO AUDIT_TRAIL|Centrify Suite|Trusted Path|1.0|2701|Trusted path denied|5|user=host01$@MYDOMAIN.COM pid=36738 utc=1502595904026 centrifyEventID=23701 DASessID=N/A DAInst=N/A status=DENIED server=cifs/adhost02.mydomain.com@MYDOMAIN.COM reason=No credentials found with supported encryption types
Aug 13 03:45:04 usnj1cddn01 adclient[36738]: WARN <gpworker> gp.processor Can not load policy usnj1cddn01$ from DC. Will execute old policy.
Aug 13 03:45:04 host01 adinfo[47831]: INFO base.nocachemode Disabling the agent directory cache
Aug 13 03:45:05 host01 adclient[36738]: INFO AUDIT_TRAIL|Centrify Suite|Trusted Path|1.0|2700|Trusted path granted|5|user=host01$@MYDOMAIN.COM pid=36738 utc=1502595905007 centrifyEventID=23700 DASessID=N/A DAInst=N/A status=GRANTED server=ldap/adhost02.mydomain.com@MYDOMAIN.COM
Any clue what is causing the problem? I know that the rejoining host to the domain would solve the problem for 1-2 weeks but then it will most likely happen again.
I also know that the admin password that joined the hosts to the domain got changed - could that be the cause?