One-shot service not managed properly, see IN1883760 Teams chat #4
Description
In gitlab by @threepistons on Dec 8, 2021, 17:09
If a machine is an identical copy of another machine, e.g. a VM disk image is used as a template for several VMs, the one-shot service still has the template's principal name in it. The service file needs to be updated, either by template or programmatically by an OS command, to correct the old principal name.
Verbatim Teams chat follows.
[16:31] Helen Griffiths
root@csc2033-02:/etc# msktutil create --verbose --computer-name csc2033-02 --user-creds-only -N -n --server campusdc01.ncl.ac.uk
[args explained in order of appearance]
- asks for domain join
- we get logging of tasks as we go
- to stop it from trying (and failing because too long) to join with the FQDN
- use the kinit sid keytab you made before you ran msktutil
- don't try to reverse lookup the DC
- don't try to canonicalise the hostname of this machine
- otherwise the DC will never be found and the join will fail
[16:33] Helen Griffiths
Erm, 02 is still saying htat it is using csc2033-00 to join, wtf? [I expected the journalctl output to say csc2033-02 after the msktutil above.]
[16:35] Helen Griffiths
[journalctl output]
Dec 08 16:32:57 csc2033-02 [sssd[ldap_child[5815]: Error processing keytab file [MEMORY:/etc/krb5.keytab]: Principal [csc2033-00$@CAMPUS.NCL.AC.UK] was not found. Unable to create GSSAPI-encrypted LDAP connection.
Dec 08 16:32:57 csc2033-02 [sssd[ldap_child[5815]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Error writing to key table. Unable to create GSSAPI-encrypted LDAP connection.
[16:39] Helen Griffiths
we are not cloning machines in the future
[16:45] Helen Griffiths
root@csc2033-02:~# grep -rn --exclude-dir 'log' csc2033-00 / might shed some light
[16:46] Helen Griffiths
If I don't say --exclude-dir 'log' I get heaps of noise from /var/log and similar, which I don't care about because I'm interested in current state not past events.
[16:48] Helen Griffiths
OH HI
/lib/systemd/system/msktutil.service:7:ExecStart=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00
/lib/systemd/system/msktutil.service:8:ExecReload=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00
[16:51] Helen Griffiths
[the above service file i]s not fixed by puppet run.
root@csc2033-02:~# /opt/puppetlabs/bin/puppet agent -t
Info: Using environment 'linux_refresh'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for csc2033-02.ncl.ac.uk
Info: Applying configuration version '1638982141'
Notice: /Stage[main]/Profiles::Securityupdates/Exec[dpkg--configure-a]/returns: executed successfully (corrective)
Notice: /Stage[main]/Profiles::Securityupdates/Exec[apt--f-install]/returns: executed successfully (corrective)
Notice: /Stage[main]/Msktutil::Keytab/Exec[chmod]/returns: executed successfully (corrective)
Notice: /Stage[main]/Main/Groupmembership[sudo]/members: members changed ['ncrr', 'ncsteam', 'nhg45', 'nsd123'] to ['nhg45', 'ncrr', 'nsd123', 'ncsteam', 'b9037154', 'b9064174', 'c0007411', 'c0027177', 'c0051068', 'c0052966'] (corrective)
Notice: /Stage[main]/Types/Types::Exec[dr_apparmor]/Exec[dr_apparmor]/returns: executed successfully (corrective)Notice: Applied catalog in 15.69 seconds
root@csc2033-02:~# cat /lib/systemd/system/msktutil.service
[Unit]
Description=Maintains domain trust for kerberised linux machines
After=network.target auditd.service network-manager.service
[Service]
Type=oneshotExecStart=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00
ExecReload=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00
[Install]
WantedBy=multi-user.target