Score:0

Server

Ubuntu SSSD Auth Error with child/sub AD Domain

AAABL

2/22/23, 10:18 PM

Need help authenticating linux (Ubuntu) server that is joined to child domain. I can see the server name on the Domain Controller and able to run authentication test successfully however I am not able to login with my domain account. Seems like a config settings somewhere for SSSD or KRB5 config need to specify child domain. Also it is not a domain trust issue since Windows servers joined to child domain are accepting credentials from the parent accounts.

kinit -V [email protected]
Authenticated to Kerberos v5

root@SERVER:/var/log/sssd# systemctl status sssd

Oct 22 17:55:09 SERVER [sssd[ldap_child[27928]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client '[email protected]' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

ERROR in SSSD log file

Fri Oct 22 17:32:51 2021) [sssd[be[DOMAIN.SYS]]] [confdb_get_domain_internal] (0x0010): Unknown domain [CHILD.DOMAIN.SYS]
(Fri Oct 22 17:32:51 2021) [sssd[be[DOMAIN.SYS]]] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [CHILD.DOMAIN.SYS], skipping!

SSSD CONFIG

root@SERVER:cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN.SYS, CHILD.DOMAIN.SYS

[nss]
default_shell = /bin/bash

[domain/DOMAIN.SYS]
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u

ad_hostname = server.child.domain.sys
#ad_server = dc.child.domain.sys
#ad_domain = DOMAIN.SYS

KRB5 CONFIG

root@SERVER: cat /etc/krb5.conf
[libdefaults]
        default_realm = DOMAIN.SYS
        ticket_lifetime = 24h #
        renew_lifetime = 7d
        rdns = false

The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

455

0 + 0

ubuntu

active-directory

kerberos

authentication

sssd

LeeM

2/26/23, 12:31 AM

Please use formatting so the config information is less difficult to read.

Score:0

Server

LeeM

2/26/23, 2:03 AM

How did you set up SSSD? Did you do realm discover and then realm join? If you didn't, that is the recommended method. I highly recommend simply doing that.

Have you tried authenticating as a user in the child domain? *getent passwd [email protected]

From what I can tell in the badly-formatted information you supplied, you've got two domains in sssd.conf

[sssd] 
services = nss, pam 
config_file_version = 2 

domains = DOMAIN.SYS, CHILD.DOMAIN.SYS

[nss] 
default_shell = /bin/bash

[domain/DOMAIN.SYS] 
id_provider = ad 
access_provider = ad

Do you have a section for [domain/CHILD.DOMAIN.SYS]. What happens if you do realm list? That should show you what's correctly configured in your sssd.conf.

I'm not sure if you need to have both domains listed in a parent-child domain situation, but perhaps try just configuring the child domain by itself first. Or at least put the child first in the domains list.

domains = CHILD.DOMAIN.SYS
...
[domain/CHILD.DOMAIN.SYS] 
id_provider = ad 
access_provider = ad

How are you trying to authenticate the parent domain user? Are you trying to SSH or are you trying a getent locally on the server? Are you using a fully-qualified name to authenticate the parent domain user? e.g. getent passwd [email protected]

This error indicates it's trying to use a keytab with the wrong computer name Client '[email protected]' . It should be using [email protected] if it's joined to the child domain. Does the server keytab actually contain the correct server name for the child domain?

That's why I recommend simplifying the issue by ensuring you can log on with the child domain credential first. Although I really think you should start over with realm join if you didn't use this method.

Try following the troubleshooting steps here, especially the Basics, Backend and Common AD Provider sections: https://sssd.io/troubleshooting/basics.html

(by the way, I really hope your domain suffix isn't really .SYS)

0 + 0

AAABL

2/27/23, 6:50 PM

thank you so much for your reply!

AAABL

2/27/23, 7:03 PM

yes I was able to login with user account from child domain and I modified sssd.conf by removing DOMAIN.SYS and leaving CHILD.DOMAIN.SYS only so there are no errors. I'm able to login with [email protected] but not with [email protected] (Access denied) originally we used 'net ads join k' when I run realm discover I get: No default realm discovered. Do I need to unjoin the server from the domain and join it using realm join?

AAABL

2/27/23, 7:12 PM

When I run realm discover -v domain.sys * Resolving: _ldap._tcp.domain.sys * Successfully discovered: DOMAIN.SYS type: kerberos realm-name: DOMAIN.SYS domain-name: domain.sys configured: kerberos-member server-software: active-directory client-software: win-bind required-package: winbind required-package: libpam-winbind required-package: samba-common-bin login-formats: TEST\%U login-policy: allow-any-login domain.sys type: kerberos realm-name: DOMAIN.SYS domain-name: domain.sys configured: no

LeeM

2/28/23, 12:46 AM

At least you're joined to the domain, so I wouldn't try that again - but `realm join` is much better, for future reference. And the `realm discover` shows it should reach the parent domain. So now maybe try modifying `domains = CHILD.DOMAIN.SYS, DOMAIN.SYS` and add a new section for `[domain/DOMAIN.SYS]` with `id_provider` and `access_provider`. Then run `realm list` which should check the `sssd.conf` and resolve the domains. Use the `getent` commands to test that the users can be resolved on the DCs before attempting logons.

LeeM

2/28/23, 12:53 AM

If the users can't be resolved in the parent domain with `getent`, you might need to check DNS resolution and define `ad_server` if the host can't reach all DCs. Go back to basics with all those troubleshooting steps on sssd.io. Or unjoin it and see if rejoining with `realm join` makes a difference. Also, if you have any other SSSD-joined *nix machines in the child domain, check their configs. But I think if you ensure both domains have config sections in `sssd.conf`, that might fix it.

LeeM

2/28/23, 12:57 AM

oh, just saw you tried to leave and rejoin. Sorry, I don't know how to get out of that pickle, other than blow away (or back up) the keytab, revert all the conf files back to defaults, and get the AD admin to ensure the computer account in the domain is actually gone.

AAABL

2/28/23, 10:23 PM

realm join -v [email protected] child.domain.sys ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) adcli: couldn't connect to child.DOMAIN.SYS domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) ! Insufficient permissions to join the domain

AAABL

2/28/23, 10:24 PM

I think I need to have child and parent domain configured in krb5.conf file. Not sure what the proper format is currently I have parent domain only

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Ubuntu SSSD Auth Error with child/sub AD Domain

TH: ข้อผิดพลาดในการตรวจสอบ SSSD ของ Ubuntu กับโดเมน AD ลูก/ย่อย

RO: Eroare de autentificare Ubuntu SSSD cu domeniul AD copil/sub

RU: Ошибка аутентификации Ubuntu SSSD с дочерним/дочерним доменом AD

VI: Lỗi xác thực SSSD Ubuntu với miền AD con/phụ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.