One-shot service not managed properly, see IN1883760 Teams chat

[threepistons]

In gitlab by @threepistons on Dec 8, 2021, 17:09

If a machine is an identical copy of another machine, e.g. a VM disk image is used as a template for several VMs, the one-shot service still has the template's principal name in it. The service file needs to be updated, either by template or programmatically by an OS command, to correct the old principal name.

Verbatim Teams chat follows.

[16:31] Helen Griffiths

root@csc2033-02:/etc# msktutil create --verbose --computer-name csc2033-02 --user-creds-only -N -n --server campusdc01.ncl.ac.uk

[args explained in order of appearance]

• asks for domain join
• we get logging of tasks as we go
• to stop it from trying (and failing because too long) to join with the FQDN
• use the kinit sid keytab you made before you ran msktutil
• don't try to reverse lookup the DC
• don't try to canonicalise the hostname of this machine
• otherwise the DC will never be found and the join will fail

[16:33] Helen Griffiths

Erm, 02 is still saying htat it is using csc2033-00 to join, wtf? [I expected the journalctl output to say csc2033-02 after the msktutil above.]

[16:35] Helen Griffiths

[journalctl output]

Dec 08 16:32:57 csc2033-02 [sssd[ldap_child[5815]: Error processing keytab file [MEMORY:/etc/krb5.keytab]: Principal [csc2033-00$@CAMPUS.NCL.AC.UK] was not found. Unable to create GSSAPI-encrypted LDAP connection.
Dec 08 16:32:57 csc2033-02 [sssd[ldap_child[5815]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Error writing to key table. Unable to create GSSAPI-encrypted LDAP connection.

[16:39] Helen Griffiths
we are not cloning machines in the future

[16:45] Helen Griffiths

root@csc2033-02:~# grep -rn --exclude-dir 'log' csc2033-00 / might shed some light

[16:46] Helen Griffiths

If I don't say --exclude-dir 'log' I get heaps of noise from /var/log and similar, which I don't care about because I'm interested in current state not past events.

[16:48] Helen Griffiths

OH HI

/lib/systemd/system/msktutil.service:7:ExecStart=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00
/lib/systemd/system/msktutil.service:8:ExecReload=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00

[16:51] Helen Griffiths

[the above service file i]s not fixed by puppet run.

root@csc2033-02:~# /opt/puppetlabs/bin/puppet agent -t

Info: Using environment 'linux_refresh'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for csc2033-02.ncl.ac.uk
Info: Applying configuration version '1638982141'
Notice: /Stage[main]/Profiles::Securityupdates/Exec[dpkg--configure-a]/returns: executed successfully (corrective)
Notice: /Stage[main]/Profiles::Securityupdates/Exec[apt--f-install]/returns: executed successfully (corrective)
Notice: /Stage[main]/Msktutil::Keytab/Exec[chmod]/returns: executed successfully (corrective)
Notice: /Stage[main]/Main/Groupmembership[sudo]/members: members changed ['ncrr', 'ncsteam', 'nhg45', 'nsd123'] to ['nhg45', 'ncrr', 'nsd123', 'ncsteam', 'b9037154', 'b9064174', 'c0007411', 'c0027177', 'c0051068', 'c0052966'] (corrective)
Notice: /Stage[main]/Types/Types::Exec[dr_apparmor]/Exec[dr_apparmor]/returns: executed successfully (corrective)Notice: Applied catalog in 15.69 seconds

root@csc2033-02:~# cat /lib/systemd/system/msktutil.service

[Unit]
Description=Maintains domain trust for kerberised linux machines
After=network.target auditd.service network-manager.service
[Service]
Type=oneshotExecStart=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00
ExecReload=/usr/sbin/msktutil -N --auto-update --auto-update-interval 15 --computer-name csc2033-00
[Install]
WantedBy=multi-user.target

[threepistons]

In gitlab by @threepistons on Dec 8, 2021, 17:26

The right answer is to remove the service because it's not in the distro msktutil package and cron.daily entries do the same job without needing frequent reboots.