SSSD Authentication with AD - krb5.keytab not properly updated during machine password change

- SLES is joined to Active Directory using User logon management. This option is based on SSSD. It uses both an identity service (usually LDAP) and a user authentication service (usually Kerberos)
- DNS, NTP are configured correctly
- /etc/krb5.keytab file is not properly updated during machine password change (by default every 30 days)
- After rejoining the system to AD, login works again and the errors cease to happen, until next renewal.

With SSSD debug enabled (Level 9) these messages are shown in the logs:

(2025-01-11 23:58:15): [be[prod.example.com]] [be_ptask_execute] (0x0400): [RID#7] Task [AD machine account password renewal]: executing task, timeout 60 seconds
(2025-01-11 23:58:15): [be[prod.example.com]] [child_handler_setup] (0x2000): [RID#7] Setting up signal handler up for pid [34082]
(2025-01-11 23:58:15): [be[prod.example.com]] [child_handler_setup] (0x2000): [RID#7] Signal handler set up for pid [34082]
(2025-01-11 23:58:17): [be[prod.example.com]] [_read_pipe_handler] (0x0400): [RID#7] EOF received, client finished
(2025-01-11 23:58:17): [be[prod.example.com]] [ad_machine_account_password_renewal_done] (0x1000): [RID#7] --- adcli output start---
 * Found realm in keytab: PROD.EXAMPLE.COM
 * Found computer name in keytab: SERVER1
 * Found service principal in keytab: SAPService/server1.prod.example.com
 * Found service principal in keytab: host/SERVER1
 * Found service principal in keytab: host/server1.prod.example.com
 * Found host qualified name in keytab: server1.prod.example.com
 * Using fully qualified name: server1.prod.example.com
 * Using domain name: prod.example.com
 * Calculated computer account name from fqdn: SERVER1
 * Using domain realm: prod.example.com
 * Sending netlogon pings to domain controller: cldap://192.168.2.4
 * Received NetLogon info from: dc01.prod.example.com
 ! Couldn't create krb5.conf snippet file in: /tmp/adcli-krb5-hJcLwv/krb5.d: Permission denied
 * Authenticated as default/reset computer account: SERVER1
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: PROD
 * Looked up domain SID: S-1-5-21-1756834019-3392798970-2683417265
 * Using fully qualified name: server1.prod.example.com
 * Using domain name: prod.example.com
 * Using computer account name: SERVER1
 * Using domain realm: prod.example.com
 * Using fully qualified name: server1.prod.example.com
 * Enrolling computer name: SERVER1
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for SERVER1$ at: CN=SERVER1,OU=Unix,OU=Servers,DC=prod,DC=example,DC=com
 * Retrieved kvno '2' for computer account in directory: CN=SERVER1,OU=Unix,OU=Servers,DC=prod,DC=example,DC=com
 * Sending netlogon pings to domain controller: cldap://192.168.2.4
 * Received NetLogon info from: dc01.prod.example.com
 * Changed computer password
 * kvno incremented to 3
 * Discovered which keytab salt to use
 ! Couldn't add keytab entries: FILE:/etc/krb5.keytab: Permission denied
adcli: updating membership with domain prod.example.com failed: Couldn't add keytab entries: FILE:/etc/krb5.keytab: Permission denied
---adcli output end---
(2025-01-11 23:58:17): [be[prod.example.com]] [be_ptask_done] (0x0400): [RID#7] Task [AD machine account password renewal]: finished successfully

Check the permissions of /etc/krb5.keytab with:

ls -l /etc/krb5.keytab
lsattr /etc/krb5.keytab

the owner and group should be root:root

-rw------- 1 root root 2676 Jan  12 15:39 /etc/krb5.keytab

In this case /etc/krb5.keytab had wrong ownership and permissions

adcli renewed the password but it could not write to /etc/krb5.keytab

adcli: updating membership with domain prod.example.com failed: Couldn't add keytab entries: FILE:/etc/krb5.keytab: Permission denied
---adcli output end---
(2025-01-11 23:58:17): [be[prod.example.com]] [be_ptask_done] (0x0400): [RID#7] Task [AD machine account password renewal]: finished successfully

The next renewal would fail because the new keys are not stored in /etc/krb5.keytab.