Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.
1 Like
I have had to add this to my /etc/sssd/sssd.conf file to get supplementary groups to return from Active Directory:
ldap_use_tokengroups = falseI guess it depends on the version of the AD server. The sssd-ldap manpage says:
ldap_use_tokengroups
This options enables or disables use of Token-Groups attribute when performing
initgroup for users from Active Directory Server 2008 and later.Default: True for AD and IPA otherwise False.
Hi,
I am trying to join my local ubuntu 22.04 system to the Microsoft AD server. I followed the official docs along, but I am failing after trying to join the realm.
I am stuck at:
root@pilot:/etc/sssd# sudo realm join -v -U admin example.muc
* Resolving: _ldap._tcp.example.muc
* Performing LDAP DSE lookup on: 10.51.49.10
* Performing LDAP DSE lookup on: 10.51.49.20
* Successfully discovered: example.muc
Password for admin:
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain example.muc --domain-realm EXAMPLE.MUC --domain-controller 10.51.49.10 --login-type user --login-user admin --stdin-password
* Using domain name: example.muc
* Calculated computer account name from fqdn: PILOT
* Using domain realm: example.muc
* Sending NetLogon ping to domain controller: 10.51.49.10
* Received NetLogon info from: dc.example.muc
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-xiWRcH/krb5.d/adcli-krb5-conf-IhNzhN
* Authenticated as user: admin@example.muc
* Using GSS-SPNEGO for SASL bind
* Looked up short domain name: EXAMPLE
* Looked up domain SID: S-1-5-21-1909716060-53967329-2664983961
* Using fully qualified name: pilot.example.muc
* Using domain name: example.muc
* Using computer account name: PILOT
* Using domain realm: example.muc
* Calculated computer account name from fqdn: PILOT
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* A computer account for PILOT$ does not exist
* Found well known computer container at: CN=Computers,DC=example,DC=muc
* Calculated computer account: CN=PILOT,CN=Computers,DC=example,DC=muc
* Encryption type [3] not permitted.
* Encryption type [1] not permitted.
* Created computer account: CN=PILOT,CN=Computers,DC=example,DC=muc
* Sending NetLogon ping to domain controller: 10.51.49.10
* Received NetLogon info from: dc.exampple.muc
! Couldn't set password for computer account: PILOT$: Cannot contact any KDC for requested realm
adcli: joining domain example.muc failed: Couldn't set password for computer account: PILOT$: Cannot contact any KDC for requested realm
! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain
When I try kinit admin@example.muc, I get a valid ticket (klist).
I checked firewall, traffic is passing. nc 10.51.49.10 88 works.
I did some research, but I was not able to find the core issue.