missing /etc/opt/omi/creds/omi.keytab file after joined Linux box to domain

Question

missing /etc/opt/omi/creds/omi.keytab file after joined Linux box to domain

anranwuyan opened this issue 9 months ago · comments

Hi experts, I have joined my red hat 7.9 to my windows AD , and I am able to login to the Linux box with my Windows domain account. I also have omi installed on this Linux box. When I am trying to connect to this Linux box with 'winrm enumurate' command under kerberos authentication, i would hit below error.

PS C:\temp> winrm enumerate http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -auth:kerberos -remote:https://rhel-e73.domain.leo.com:1270 -username:omaa@domain.leo.com -skipCACheck -skipCNCheck -skiprevocationcheck -encoding:utf-8
Enter the password for 'omaa@domain.leo.com' to connect to 'https://rhel-e73.domain.leo.com:1270':
WSManFault
Message = Access is denied.

Error number: -2147024891 0x80070005
Access is denied.

I noticed error '2023/10/31 15:09:30 [80832,80832] ERROR: null(0): EventId=20146 Priority=ERROR HTTP: Client Authorization failed. gss:() mech:(Key table entry not found)' in omiserver.log file when running the winrm command. Later I noticed file /etc/opt/omi/creds/omi.keytable does not exist on this Linux. Can anyone guide me how to get this file auto created please?

I get the omid installed, and then joined this Linux to AD. I am not sure if we have to join the Linux to AD first, and then install the OMID after that or not.

[root@rhel-e73 log]# cat /etc/*release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.9 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Red Hat"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.9:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.9
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.9"
Red Hat Enterprise Linux Server release 7.9 (Maipo)
Red Hat Enterprise Linux Server release 7.9 (Maipo)

[root@rhel-e73 log]# rpm -qa |grep -i sssd
sssd-1.16.5-10.el7_9.15.x86_64
python-sssdconfig-1.16.5-10.el7_9.15.noarch
sssd-krb5-common-1.16.5-10.el7_9.15.x86_64
sssd-ad-1.16.5-10.el7_9.15.x86_64
sssd-proxy-1.16.5-10.el7_9.15.x86_64
sssd-common-pac-1.16.5-10.el7_9.15.x86_64
sssd-client-1.16.5-10.el7_9.15.x86_64
sssd-ldap-1.16.5-10.el7_9.15.x86_64
sssd-common-1.16.5-10.el7_9.15.x86_64
sssd-ipa-1.16.5-10.el7_9.15.x86_64
sssd-krb5-1.16.5-10.el7_9.15.x86_64
[root@rhel-e73 log]#

Thanks!

Jumping Yang[Wicresoft] · Answer 1 · Wed Nov 01 2023 10:17:33 GMT+0800 (China Standard Time)

@LeoYuAtMicrosoft have you setup Kerberos environment on your Linux box?
once you setup Kerberos, you will see /etc/krb5.keytab on your local box.
https://github.com/microsoft/omi/blob/master/Unix/doc/setup-kerberos-omi.md

Jumping Yang[Wicresoft] · Answer 2 · Thu Nov 30 2023 15:30:34 GMT+0800 (China Standard Time)

by design.