SUSE Support

Here When You Need Us

SSSD Authentication with AD fails with a MEMORY:/etc/krb5.keytab error

This document (000020793) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP6
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP6
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP5
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP3

Situation

- SLES is joined to Active Directory using User logon management. This option is based on SSSD. It uses both an identity service (usually LDAP) and a user authentication service (usually Kerberos)
- DNS, NTP are configured correctly
- AD users are unable to login into SLES 15
- SSSD Authentication with AD fails with an error: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

These error messages are shown in the logs: 
2022-09-28T06:12:42.729876+00:00 servertest01 SAPHID_11[6619]: D01 Basis System: Transaction canceled 00 560 ( R938759 100 )
2022-09-28T06:13:22.440156+00:00 servertest01 ldap_child[13830]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
2022-09-28T06:13:22.654065+00:00 servertest01 ldap_child[13831]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
2022-09-28T06:13:26.419190+00:00 servertest01 SAPHID_11[6625]: D01 Basis System: Transaction canceled 00 560 ( R998282 100 )
2022-09-28T06:13:26.426394+00:00 servertest01 SAPHID_11[6622]: D01 Basis System: Transaction canceled 00 560 ( R938759 100 )
2022-09-28T06:14:32.065142+00:00 servertest01 ldap_child[14155]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
2022-09-28T06:14:32.225996+00:00 servertest01 ldap_child[14156]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
2022-09-28T06:14:42.733369+00:00 servertest01 SAPHID_11[6619]: D01 Basis System: Transaction canceled 00 560 ( R938759 100 )
2022-09-28T06:15:41.729094+00:00 servertest01 ldap_child[14387]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
2022-09-28T06:15:41.932528+00:00 servertest01 ldap_child[14388]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

2022-09-28T06:12:12.690092+00:00 servertest01 ldap_child[12334]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
2022-09-28T06:12:12.880496+00:00 servertest01 ldap_child[12335]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

and 
Failed to init credentials: Client 'SERVERTEST01$@DOMAIN.EXAMPLE.LOCAL' not found in Kerberos database


 

Resolution

Delete the computer account in the domain (the account must already exist): 
# adcli delete-computer -D domain.example.com servertest01 -S dc.example.com

-D specifies the domain 
-S specifies a domain controller

Stop the SSSD daemon: 
# systemctl stop sssd

Rename and backup the old keytab: 
# mv /etc/krb5.keytab /root/krb5.keytab.backup

Clear SSSD cache: 
# rm -rf /var/lib/sss/db/*

Remove Kerberos caches: 
# rm -f /tmp/krb5*;
Join the domain: 
# adcli join -D example.com -S dc.example.com

Start the SSSD daemon: 
# systemctl start sssd

Cause

/etc/krb5.keytab file, for some reason, became invalid or corrupted. 

Additional Information

Joining Active Directory using User logon management
https://documentation.suse.com/sles/15-SP6/single-html/SLES-security/#sec-security-ad-sssd

Manually join AD on SUSE Linux Enterprise Server 12 or 15 without Yast usage 
​​​​​​​https://www.suse.com/support/kb/doc/?id=000018831

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020793
  • Creation Date: 30-Sep-2022
  • Modified Date:09-Oct-2024
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center