Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1891932

Description of problem:

Direct Auth configuration with AD stops working after 30 days.

When the system renews /etc/krb5.keytab or have new KVNO on the system, GSS-Proxy is unable to detect the new changes.
Due to this issue, AD user authentication does not work after 30dys.

Version-Release number of selected component (if applicable):
Customer Env:
$ less installed-rpms |egrep "satellite-6|gssproxy"
gssproxy-0.7.0-28.el7.x86_64 Wed Jun 3 17:42:58 2020
satellite-6.7.0-7.el7sat.noarch Wed Jun 3 17:38:40 2020

Test Env:
rpm -qa |egrep "satellite-6|gssproxy"
satellite-6.7.3-1.el7sat.noarch
gssproxy-0.7.0-29.el7.x86_64

How reproducible:
Always (positive results with above mentioned PKGs/version)

Steps to Reproduce:
1.Configure AD direct auth - https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html/administering_red_hat_satellite/chap-red_hat_satellite-administering_red_hat_satellite-configuring_external_authentication#gss-proxy_admin

2. To get new KVNO:
a. #realm leave REALM-NAME
b. #realm join

3. Verify the KVNO numbers:

a.klist -kt /etc/httpd/conf/http.keytab
b.klist -kt /etc/krb5.keytab

Example:
#klist kt /etc/httpd/conf/http.keytab
Keytab name: FILE:/etc/httpd/conf/http.keytab
KVNO Timestamp Principal
--- ------------------- ------------------------------------------------------
3 10/16/2020 01:47:13 HTTP/satellite.example.com@SYSLAB.REDHAT.COM
3 10/16/2020 01:47:13 HTTP/SATELLITE-HOST@SYSLAB.REDHAT.COM
3 10/16/2020 01:47:13 HTTP/satellite.example.com@SYSLAB.REDHAT.COM
3 10/16/2020 01:47:13 HTTP/SATELLITE-HOST@SYSLAB.REDHAT.COM
3 10/16/2020 01:47:13 HTTP/satellite.example.com@SYSLAB.REDHAT.COM
3 10/16/2020 01:47:13 HTTP/SATELLITE-HOST@SYSLAB.REDHAT.COM
3 10/16/2020 01:47:13 HTTP/satellite.example.com@SYSLAB.REDHAT.COM
3 10/16/2020 01:47:13 HTTP/SATELLITE-HOST@SYSLAB.REDHAT.COM
3 10/16/2020 01:47:13 HTTP/satellite.example.com@SYSLAB.REDHAT.COM
3 10/16/2020 01:47:13 HTTP/SATELLITE-HOST@SYSLAB.REDHAT.COM

#klist kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
--- ------------------- ------------------------------------------------------
5 10/27/2020 22:19:39 SATELLITE-HOST@SYSLAB.REDHAT.COM
5 10/27/2020 22:19:39 SATELLITE-HOST@SYSLAB.REDHAT.COM
5 10/27/2020 22:19:39 SATELLITE-HOST@SYSLAB.REDHAT.COM
5 10/27/2020 22:19:39 host/SATELLITE-HOST@SYSLAB.REDHAT.COM
5 10/27/2020 22:19:39 host/SATELLITE-HOST@SYSLAB.REDHAT.COM
5 10/27/2020 22:19:39 host/SATELLITE-HOST@SYSLAB.REDHAT.COM
5 10/27/2020 22:19:39 host/satellite.example.com@SYSLAB.REDHAT.COM
5 10/27/2020 22:19:39 host/satellite.example.com@SYSLAB.REDHAT.COM
5 10/27/2020 22:19:39 host/satellite.example.com@SYSLAB.REDHAT.COM

4. #systemctl restart gssproxy.service

5. Try to login with AD user on Satellite UI. Results- Fails to login.

Actual results:
AD user authentication on Satellite WeUI fails after 30days.

Why after 30days?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-auto-keytab-renewal
_~~
SSSD automatically renews the Kerberos host keytab file in an AD environment if the adcli package is installed. The daemon checks daily if the machine account password is older than the configured value and renews it if necessary.
The default renewal interval is 30 days. To change the default:

Add the following parameter to the AD provider in your /etc/sssd/sssd.conf file:

ad_maximum_machine_account_password_age = value_in_days
~~~

Expected results:
gssproxy should take necessay actions to handle the renewed /etc/krb5.keytab.

Additional info:

Logs:
Oct 27 22:19:40 achadha-rhsat sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Oct 27 22:19:40 achadha-rhsat sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.