SSSD Service cannot start: Someone deleted /etc/sssd/sssd.conf and /etc/krb5.keytab from RHEL 7 server

Subject: SSSD Service cannot start: Someone deleted /etc/sssd/sssd.conf and /etc/krb5.keytab from RHEL 7 server


Good day from Singapore,


Today 22 Jun 2022 Wednesday, I discovered that someone deleted /etc/sssd/sssd.conf and /etc/krb5.keytab from one of the Red Hat Enterprise Linux (RHEL) 7 servers. Hence System Security Services Daemon (SSSD) cannot start.


I have solved it by copying /etc/sssd/sssd.conf from another RHEL 7 server and generating kerberos keytab file on the Active Directory Domain Controller Windows Server.


Here is an edited sample of our /etc/sssd/sssd.conf file.


[sssd]

domains = project.domain.com

config_file_version = 2

services = nss, pam


[domain/project.domain.com]

ad_server = addc01.project.domain.com

ad_domain = project.domain.com

krb5_realm = PROJECT.DOMAIN.COM

realmd_tags = manages-system joined-with-adcli

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = True

fallback_homedir = /home/%u%d

access_provider = ad


The 2 Windows Server commands I used to create a kerberos keytab are:


[1] setspn -A host/rhel7.project.domain.com rhel7


[2] ktpass /princ host/rhel7.project.domain.com@PROJECT.DOMAIN.COM /out rhel7.keytab /crypto All /ptype KRB5_NT_PRINCIPAL -desonly /mapuser PROJECT\rhel7$ +setupn +rndPass +setpass +answer


After generating rhel7.keytab on the Active Directory Domain Controller Windows Server, copy the keytab file to the target RHEL 7 server as /etc/krb5.keytab.


As we do not have direct SSH access to the target RHEL 7 server, I have to copy out rhel7.keytab from the Windows Server using winscp. Then I use winscp again to upload rhel7.keytab to another intermediate RHEL 7 server. From the intermediate RHEL 7 server, I used the following Linux command to transfer rhel7.keytab to the target RHEL 7 server.


$ scp rhel7.keytab user@<IP address of target RHEL 7 server>:/home/user/rhel7.keytab


On the target RHEL 7 server, run the following Linux commands:


$ sudo cp rhel7.keytab /etc/krb5.keytab


Then 


$ su -


# systemctl start sssd.service


# systemctl status sssd.service


I have solved the problem!


Reference Guides

================


[1] 22.8.1 Configuring an SSSD Server

Link: https://docs.oracle.com/cd/E37670_01/E41138/html/ch22s08s01.html


[2] How to create a kerberos keytab on Active Directory for Red Hat Enterprise Linux

Link: https://access.redhat.com/solutions/208173


Regards,


Mr. Turritopsis Dohrnii Teo En Ming

Targeted Individual in Singapore

22 Jun 2022 Wednesday

Blogs:

https://tdtemcerts.blogspot.com/

https://tdtemcerts.wordpress.com/





REFERENCES

============


[1] https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/JMB2IWNLQIMX4NRGUEUYTXYILKC5DR6Q/


[2] https://www.mail-archive.com/sssd-users@lists.fedorahosted.org/msg08162.html


[3] https://marc.info/?l=sssd-users&m=165590714801417&w=2


Comments

Post a Comment

Popular posts from this blog

How the Singapore Government cheated my family of a HDB flat (Draft 22 Aug 2023)

Subject: How the Singapore Government cheated my family of a HDB flat (Draft 22 Aug 2023) It is a Well-Known Fact that government(s) invented mental illness to punish and torture people (and their families) who criticise the government or say bad things about the government. The Singapore Government rewarded my mother with a mental illness (schizophrenia). By leveraging mind control technology, the Singapore Government is able to make my mother hear voices in her head and trick her into believing that her neighbors are scolding her and targeting her everyday. Yes, the Singapore Government resorted to using this trickery. My mother firmly believes that her neighbors are scolding her and targeting her everyday. So we sold off our 1st HDB flat at Bedok North Street 3 and purchased another HDB flat at Yishun without careful consideration, planning and advice. When we moved to the HDB flat at Yishun, my mother still firmly believes that her neighbors are scolding her and targeting her every...
Read more

[DRAFT 26 SEP 2022] HDB refuses to reduce monthly rental fees of my rental flat despite many appeals

Subject: [DRAFT 26 SEP 2022] HDB refuses to reduce monthly rental fees of my rental flat despite many appeals DRAFT 26 SEP 2022 FOR IMMEDIATE RELEASE My name is Mr. Turritopsis Dohrnii Teo En Ming. I am 44 years old. I am a Targeted Individual (TI) living in Singapore. A Targeted Individual is a person who is persecuted, targeted, marked and blacklisted by the government. After graduation from the National University of Singapore in Dec 2006, I started working in Defense Science and Technology Agency (DSTA) as an IT Engineer. But I offended Singapore Minister Mentor Lee Kuan Yew in the year 2007. When I was having a private conversation with my manager Mr. Loh Choon Fah in his office, I said: "When Lee Kuan Yew is gone, Singapore would be more democratic.". This is how I offended Singapore strongman Lee Kuan Yew. Within a few months, I started hearing threatening and menacing voices from the Singapore government. Hearing voices is also known as schizophrenia (mental illness)....
Read more