Hi every body, We are in the process of converting to SSSD for our Centos 6.9 & 7.3 servers. We have the latest available "sssd-1.13.3-56.el6.x86_64" & "adcli-0.8.1-1.el6.x86_64" installed for our platform. In a month or so most of our servers were dropped out of domain. We followed several documents, including "Integrating Red Hat Enterprise Linux 6 with Active Directory" and "Red Hat Enterprise Linux 7.3 Beta Windows Integration Guide". I don't recall seeing any references to enable automatic kerberos host keytab renewal in those documents. After the issue we started looking in to it and saw recommendations about running cron jobs to renew host keytabs: "https://lists.fedorahosted.org/archives/list/sssd-users@xxxxxxxxxxxxxxxxxxxxxx/thread/CRA43XHHDBPAENAYJ3INUWSCE2Q2NB5W/"; Other documentation however indicated this issue has been addressed after sssd-1.13.3-8.el6: "https://bugzilla.redhat.com/show_bug.cgi?id=1290761"; My question is do we still need to configure a cronjob to run "msktutil --auto-update" and "kinit -k <servername>$"? Is default value of "ad_maximum_machine_account_password_age = 30" sufficient for auto renewals? We checked with AD team and they say machine passwords rotate every 30 days. Thanks _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
