AD membership is lost after 30 days

[galaxy4public]

It was reported that an instance lost its AD membership after 30 days.

sssd is supposed to renew the membership automatically (the default is set at 30 days), but it seems that something prevents this from happening.

Some context for the issue can be found at the following links:

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-auto-keytab-renewal
• https://serverfault.com/questions/852032/automatic-kerberos-host-keytab-renewal-with-sssd
• https://funinit.wordpress.com/2017/11/29/how-sssd-updates-machine-account-password/

The corresponding source code in sssd can be seen at https://github.com/SSSD/sssd/blob/master/src/providers/ad/ad_machine_pw_renewal.c and should work.

To investigate this fully we need debug logs from the affected instances (my suspicion is that something prevents sssd from successfully forking a child with adcli update.

In the meantime the fix should be running adcli update as a service on a timer every day.