Bug 1748292

Or similar error as klist.

sh$ echo -n > ./krb5.keytab
sh$ klist -kt ./krb5.keytab
Keytab name: FILE:./krb5.keytab
klist: Unsupported key table format version number while starting keytab scan

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4081

Upstream PR: https://github.com/SSSD/sssd/pull/883

With this patch in described case:

 - journal says:
```
Failed to read keytab [default]: No suitable principal found in keytab
```

 - /var/log/sssd_$backend.log says:
```
[find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed: Unsupported key table format version number
```
(getting exactly this message into journal log is a little bit tricky)


Jan, is this ok from your point of view?

Why would it say "default" and not "/etc/krb5.keytab"?

(In reply to Jan Pazdziora from comment #4)
> Why would it say "default" and not "/etc/krb5.keytab"?

There are options 'krb5_keytab' and 'ldap_krb5_keytab' that can be set in sssd config to specify location of the keytab.

If those options are not set sssd assumes "default" keytab location and uses `krb5_kt_default` to resolve default key table.
Formally speaking sssd doesn't "know" what is keytab location in this case thus prints "default".

(In reply to Alexey Tikhonov from comment #3)
> Upstream PR: https://github.com/SSSD/sssd/pull/883

PR was updated to include libkrb5 error in journal and to print full path to keytab in case default is used

    master
        e778fa1 - util/sss_krb5: debug messages fixes
        716aeba - util/sss_krb5: fixed few memory handling issues
        8f27546 - util/sss_krb5: find_principal_in_keytab() was amended
        5086353 - util/sss_krb5.c: elimination of unreachable code

Commit e778fa1 fixes this issue

This bug was fixed as part of the rebase we did in RHEL 8.2.0. It would be good to fully ack it and include in the erratum.

versions:
-----------
sssd-client-2.2.3-18.el8.x86_64
sssd-ipa-2.2.3-18.el8.x86_64
sssd-kcm-2.2.3-18.el8.x86_64
sssd-dbus-2.2.3-18.el8.x86_64
sssd-2.2.3-18.el8.x86_64
sssd-nfs-idmap-2.2.3-16.el8.x86_64
python3-sssdconfig-2.2.3-18.el8.noarch
sssd-common-pac-2.2.3-18.el8.x86_64
sssd-ldap-2.2.3-18.el8.x86_64
sssd-tools-2.2.3-18.el8.x86_64
sssd-common-2.2.3-18.el8.x86_64
sssd-ad-2.2.3-18.el8.x86_64
sssd-krb5-common-2.2.3-18.el8.x86_64
sssd-proxy-2.2.3-18.el8.x86_64
sssd-winbind-idmap-2.2.3-18.el8.x86_64
sssd-krb5-2.2.3-18.el8.x86_64


# Join system to IPA using ipa client 

# move /etc/krb5.keytab 
mv /etc/krb5.keytab /etc/krb5.keytab.orig

# create an empty keytab file
echo -n > /etc/krb5.keytab

# start sssd 

<snip>
Mar 03 16:16:44 client1.testrealm.test sssd[25801]: Starting up
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25803]: Starting up
Mar 03 16:16:44 client1.testrealm.test sssd[be[implicit_files]][25802]: Starting up
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25803]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25803]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25803]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25803]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25803]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25803]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25803]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25803]: Failed to read keytab [FILE:/etc/krb5.keytab]: No suitable principal found in keytab
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25804]: Starting up
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25804]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25804]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25804]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25804]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25804]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:16:44 client1.testrealm.test sssd[be[testrealm.test]][25804]: krb5_kt_start_seq_get failed: Unsupported key table format version number
</snip>


# Join system to AD 

[root@client1 ~]# realm join -U Administrator -v SARABHAI.TEST
 * Resolving: _ldap._tcp.sarabhai.test
 * Performing LDAP DSE lookup on: 192.168.122.216
 * Successfully discovered: SARABHAI.TEST
Password for Administrator:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain SARABHAI.TEST --domain-realm SARABHAI.TEST --domain-controller 192.168.122.216 --login-type user --login-user Administrator --stdin-password
 * Using domain name: SARABHAI.TEST
 * Calculated computer account name from fqdn: CLIENT1
 * Using domain realm: SARABHAI.TEST
 * Sending netlogon pings to domain controller: cldap://192.168.122.216
 * Received NetLogon info from: vikram.SARABHAI.TEST
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-2lS4g4/krb5.d/adcli-krb5-conf-OJyy4d
 * Authenticated as user: Administrator
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: SARABHAI
 * Looked up domain SID: S-1-5-21-1672089527-2408710569-2399489135
 * Using fully qualified name: client1.testrealm.test
 * Using domain name: SARABHAI.TEST
 * Using computer account name: CLIENT1
 * Using domain realm: SARABHAI.TEST
 * Calculated computer account name from fqdn: CLIENT1
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for CLIENT1$ does not exist
 * Found well known computer container at: CN=Computers,DC=SARABHAI,DC=TEST
 * Calculated computer account: CN=CLIENT1,CN=Computers,DC=SARABHAI,DC=TEST
 * Created computer account: CN=CLIENT1,CN=Computers,DC=SARABHAI,DC=TEST
 * Sending netlogon pings to domain controller: cldap://192.168.122.216
 * Received NetLogon info from: vikram.SARABHAI.TEST
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=CLIENT1,CN=Computers,DC=SARABHAI,DC=TEST
 * Checking RestrictedKrbHost/client1.testrealm.test
 *    Added RestrictedKrbHost/client1.testrealm.test
 * Checking RestrictedKrbHost/CLIENT1
 *    Added RestrictedKrbHost/CLIENT1
 * Checking host/client1.testrealm.test
 *    Added host/client1.testrealm.test
 * Checking host/CLIENT1
 *    Added host/CLIENT1
 * Discovered which keytab salt to use
 * Added the entries to the keytab: CLIENT1$@SARABHAI.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/CLIENT1: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/client1.testrealm.test: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/CLIENT1: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/client1.testrealm.test: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
Created symlink /etc/systemd/system/multi-user.target.wants/sssd.service → /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service

Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service.
 * Successfully enrolled machine in realm

[root@client1 ~]# cat /etc/sssd/sssd.conf

[sssd]
domains = SARABHAI.TEST
config_file_version = 2
services = nss, pam

[domain/SARABHAI.TEST]
ad_domain = SARABHAI.TEST
krb5_realm = SARABHAI.TEST
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

[root@client1 ~]# systemctl restart sssd
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
[root@client1 ~]# journalctl -xe
Mar 03 16:24:46 client1.testrealm.test sssd[be[SARABHAI.TEST]][27246]: krb5_kt_start_seq_get failed: Key table file '/etc/krb5.keytab' not found
Mar 03 16:24:46 client1.testrealm.test sssd[be[SARABHAI.TEST]][27246]: krb5_kt_start_seq_get failed: Key table file '/etc/krb5.keytab' not found
Mar 03 16:24:46 client1.testrealm.test sssd[be[SARABHAI.TEST]][27246]: Failed to read keytab [FILE:/etc/krb5.keytab]: No suitable principal found in keytab
Mar 03 16:24:46 client1.testrealm.test sssd[27220]: Exiting the SSSD. Could not restart critical service [SARABHAI.TEST].
Mar 03 16:24:46 client1.testrealm.test sssd[be[implicit_files]][27233]: Shutting down (status = 0)
Mar 03 16:24:46 client1.testrealm.test systemd[1]: sssd.service: Main process exited, code=exited, status=1/FAILURE
Mar 03 16:24:46 client1.testrealm.test systemd[1]: sssd.service: Failed with result 'exit-code'.
Mar 03 16:24:46 client1.testrealm.test systemd[1]: Failed to start System Security Services Daemon.


Marking it as verified based on above results.

In the previous comment AD was tested with no keytab. Retesting with blank keytab

[root@client1 ~]# mv /etc/krb5.keytab /etc/krb5.keytab.backup
[root@client1 ~]# echo -n > /etc/krb5.keytab
[root@client1 ~]# systemctl restart sssd
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
[root@client1 ~]# journalctl -xe
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit sssd.service has failed.
--
-- The result is failed.  
Mar 03 16:29:35 client1.testrealm.test systemd[1]: sssd.service: Service RestartSec=100ms expired, scheduling restart.
Mar 03 16:29:35 client1.testrealm.test systemd[1]: sssd.service: Scheduled restart job, restart counter is at 1.
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Automatic restarting of the unit sssd.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Mar 03 16:29:35 client1.testrealm.test systemd[1]: Stopped System Security Services Daemon.
-- Subject: Unit sssd.service has finished shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit sssd.service has finished shutting down.
Mar 03 16:29:35 client1.testrealm.test systemd[1]: Starting System Security Services Daemon...
-- Subject: Unit sssd.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit sssd.service has begun starting up.
Mar 03 16:29:35 client1.testrealm.test sssd[27870]: Starting up
Mar 03 16:29:35 client1.testrealm.test sssd[be[SARABHAI.TEST]][27872]: Starting up
Mar 03 16:29:35 client1.testrealm.test sssd[be[implicit_files]][27871]: Starting up
Mar 03 16:29:35 client1.testrealm.test sssd[be[SARABHAI.TEST]][27872]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:29:35 client1.testrealm.test sssd[be[SARABHAI.TEST]][27872]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:29:35 client1.testrealm.test sssd[be[SARABHAI.TEST]][27872]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:29:35 client1.testrealm.test sssd[be[SARABHAI.TEST]][27872]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:29:35 client1.testrealm.test sssd[be[SARABHAI.TEST]][27872]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:29:35 client1.testrealm.test sssd[be[SARABHAI.TEST]][27872]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:29:35 client1.testrealm.test sssd[be[SARABHAI.TEST]][27872]: krb5_kt_start_seq_get failed: Unsupported key table format version number
Mar 03 16:29:35 client1.testrealm.test sssd[be[SARABHAI.TEST]][27872]: Failed to read keytab [FILE:/etc/krb5.keytab]: No suitable principal found in keytab
Mar 03 16:29:36 client1.testrealm.test sssd[be[SARABHAI.TEST]][27873]: Starting up

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863