5

I have many RHEL servers configured with SSSD that are not rotating their AD computer account password and as a result their computer accounts are getting deleted from the AD domain. This is happening due to a stale account cleanup job that is in place on the domain controllers.

I found out if you do not set this value

ad_maximum_machine_account_password_age =

in your /etc/sssd.conf the default is to rotate the password every 30 days. I have systems where it is working and systems where it is not working. For testing purposes I set several systems to 1 day for the value

ad_maximum_machine_account_password_age = 1

I also raised logging to 10 to see if I can capture something in the log files as to success or failure of the rotation of the computer account password.

I was also able to rotate the password manually with this command

adcli update

or

adcli update --show-details --show-password --domain doaminXYZ

I am tempted to put a cron job that will run the command every 2 weeks but I do not like that solution. I would rather it just work properly.

I have opened a case with Red Hat but they are not being very helpful. I have also searched to the end of the internet for a solution and have come up empty so far.

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
kerplunk
  • 101
  • 2
  • 5

1 Answers1

1

We ran into your question while trying to remediate the same issue on our AD joined RHEL boxes. We set ours to one day on a test box and restarted the SSSD & realmd daemons. After about 5 minutes the pwdLastSet attribute on the test box had been updated.

As for the automatic reset, it appears that this was removed in SSSD v1.13.4 in favor of using the setting mentioned above. Have a look here: https://access.redhat.com/solutions/2420951

The SSSD release notes referenced in the above link can be found here: https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_13_4.html

In order for the ad machine password to be changed the setting would have to be added to the /etc/sssd/sssd.conf file under the domain section.

I hope this helps!

Enrique Terrazas
  • 11
  • 3
  • 1
    So far setting ad_maximum_machine_account_password_age = 14 seems to be working on most servers but some still don't like it. I am updating all the associated packages on the satellite servers just to be up to date. On the servers where the password age value isn't being respected I will implement a cron job like this. #Update AD computer account password for SSSD agent 00 00 */14 * * /sbin/adcli update --computer-password-lifetime=0 --domain XYZ – kerplunk Nov 19 '19 at 20:12
  • I can't believe redhat support couldn't direct me to that document. Thank you!! that really helps clear up the behavior we are experiencing. – kerplunk Nov 19 '19 at 20:21