tune_sssd.sh: fix GSSAPI delegation by using full FQDN for SPN

- Use dnshostname=$(hostname -f) to register correct dNSHostName (e.g. host.office.etersoft.ru instead of host.etersoft.ru) - Replace deprecated -k with --use-kerberos=required - Add idempotency: check testjoin status before joining - If already joined, verify keytab has correct FQDN - If machine account is broken, leave and rejoin Note: requires msDS-AllowedDNSSuffixes on DC to include the DNS subdomain Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

tune_sssd.sh: fix GSSAPI delegation by using full FQDN for SPN
691c51d9 · Vitaly Lipatov · 6e61ea66 · 691c51d9
Commit 691c51d9 authored Jan 16, 2026 by Vitaly Lipatov
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 4 deletions

tune_sssd.sh dc-client/tune_sssd.sh +24 -4

No files found.
--- a/dc-client/tune_sssd.sh
+++ b/dc-client/tune_sssd.sh
@@ -186,10 +186,30 @@ fi

 # Вход в домен
 kinit $ADMIN || fatal "Can't get kerberos ticket for '$ADMIN'"
-echo "Have got a kerberos ticker!"
-[ -f /etc/krb5.keytab ] && echo "Removing old keytab /etc/krb5.keytab ..." && rm -fv /etc/krb5.keytab
-echo "Join to domain... "
-net ads join -k --no-dns-updates || fatal "Failed to join to the domain '$REALM'"
+echo "Have got a kerberos ticket!"
+
+# Check current domain join status
+if net ads testjoin 2>/dev/null; then
+    echo "Machine is already joined to domain, checking keytab..."
+    # Verify keytab has correct FQDN
+    if klist -k /etc/krb5.keytab 2>/dev/null | grep -qi "host/$(hostname -f)@"; then
+        echo "Keytab is up to date with correct FQDN"
+    else
+        echo "Keytab missing correct FQDN, refreshing..."
+        net ads keytab create || echo "Warning: failed to refresh keytab"
+    fi
+else
+    echo "Machine account is broken or not joined, (re)joining..."
+    # Leave domain first if there's a stale join
+    net ads leave --use-kerberos=required 2>/dev/null || true
+    [ -f /etc/krb5.keytab ] && echo "Removing old keytab /etc/krb5.keytab ..." && rm -fv /etc/krb5.keytab
+
+    echo "Join to domain... "
+    # Use dnshostname= to register full FQDN (e.g. host.office.etersoft.ru instead of host.etersoft.ru)
+    # This requires msDS-AllowedDNSSuffixes to include the DNS subdomain on the DC
+    net ads join dnshostname=$(hostname -f) --use-kerberos=required --no-dns-updates || fatal "Failed to join to the domain '$REALM'"
+fi
+
 kdestroy

 case $(epm print info -d) in