How did you set up SSSD? Did you do realm discover
and then realm join
? If you didn't, that is the recommended method. I highly recommend simply doing that.
Have you tried authenticating as a user in the child domain? *getent passwd [email protected]
From what I can tell in the badly-formatted information you supplied, you've got two domains in sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN.SYS, CHILD.DOMAIN.SYS
[nss]
default_shell = /bin/bash
[domain/DOMAIN.SYS]
id_provider = ad
access_provider = ad
Do you have a section for [domain/CHILD.DOMAIN.SYS]
. What happens if you do realm list
? That should show you what's correctly configured in your sssd.conf.
I'm not sure if you need to have both domains listed in a parent-child domain situation, but perhaps try just configuring the child domain by itself first. Or at least put the child first in the domains
list.
domains = CHILD.DOMAIN.SYS
...
[domain/CHILD.DOMAIN.SYS]
id_provider = ad
access_provider = ad
How are you trying to authenticate the parent domain user? Are you trying to SSH or are you trying a getent
locally on the server? Are you using a fully-qualified name to authenticate the parent domain user? e.g. getent passwd [email protected]
This error indicates it's trying to use a keytab with the wrong computer name Client '[email protected]'
. It should be using [email protected]
if it's joined to the child domain. Does the server keytab actually contain the correct server name for the child domain?
That's why I recommend simplifying the issue by ensuring you can log on with the child domain credential first. Although I really think you should start over with realm join
if you didn't use this method.
Try following the troubleshooting steps here, especially the Basics, Backend and Common AD Provider sections: https://sssd.io/troubleshooting/basics.html
(by the way, I really hope your domain suffix isn't really .SYS)