Active Directory users are not showing after joining domain

I have my fedora workstation joined to my active directory properly, using my domain administrator account. All seems well, but I can’t login using my AD accounts. Using id gets me a failure on the username (not found)

The error on the sssd (systemctl status sssd) is: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

Any ideas? Like I mentioned above, I’m able to join the domain using my domain admin account, but that error seems to prevent users from being authenticated or even found in the Active Directory.

I am assuming that you used Gnome’s Settings app to join using the domain administrator account?

Either way, I think by default you have to explicitly add each domain user that should be able to use the computer. So you need to press “unlock” and add domain users that should be able to log in one-by-one.

If you want, you can use realmd from command line to allow all users:

realm permit --realm domain.example.com --all

Hope this helps resolve your issue.

Thanks for the quick reply. I used the realm join from the command line to join the domain originally. When I try to add user account through the settings app, I got a “user not found” message.

Can you check the output of the below. My system works fine, so output should look something like this:

myuser@my.ad.lan@myhost ~> realm list
my.ad.lan
  type: kerberos
  realm-name: MY.AD.LAN
  domain-name: my.ad.lan
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@my.ad.lan
  login-policy: allow-permitted-logins
  permitted-logins: administrator@my.ad.lan, myuser@my.ad.lan
  permitted-groups:



myuser@my.ad.lan@myhost ~>  authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir


> getent passwd myuser@my.ad.lan
myuser@my.ad.lan:*:1400601103:1400600513:Full name:/home/myuser@my.ad.lan:/usr/bin/fish

> systemctl status sssd
● sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Sun 2024-04-07 01:06:43 BST; 10h ago
   Main PID: 1669 (sssd)
      Tasks: 5 (limit: 19063)
     Memory: 85.9M
        CPU: 1.772s
     CGroup: /system.slice/sssd.service
             ├─1669 /usr/sbin/sssd -i --logger=files
             ├─1742 /usr/libexec/sssd/sssd_be --domain ad.home.lan --uid 0 --gid 0 --logger=files
             ├─1749 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             ├─1750 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
             └─1751 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files

Apr 07 01:07:13 myhost.my.ad.lan sssd[6293]: ; TSIG error with server: tsig verify failure
Apr 07 01:07:13 myhost.my.ad.lan sssd[6293]: ; TSIG error with server: tsig verify failure
Apr 07 01:07:13 myhost.my.ad.lan sssd[6318]: ; TSIG error with server: tsig verify failure
Apr 07 01:07:48 myhost.my.ad.lan adcli[7110]: GSSAPI client step 1
Apr 07 01:07:48 myhost.my.ad.lan adcli[7110]: GSSAPI client step 1
Apr 07 01:07:48 myhost.my.ad.lan adcli[7110]: GSSAPI client step 1
Apr 07 01:36:17 myhost.my.ad.lan krb5_child[11895]: Pre-authentication failed: Invalid argument
Apr 07 01:36:17 myhost.my.ad.lan krb5_child[11896]: Pre-authentication failed: Invalid argument
Apr 07 11:18:14 myhost.my.ad.lan krb5_child[18571]: Pre-authentication failed: Invalid argument
Apr 07 11:18:14 myhost.my.ad.lan krb5_child[18572]: Pre-authentication failed: Invalid argument

I also see the pre-authentication failure, though it does not seem to have any ill effects. I don’t see the “Unable to create GSSAPI-encrypted LDAP connection.” part though…

You should also check the computer account before you exit the domain, perhaps that was not created properly? Use adcli show-computer <computer-name> to see if it’s there.

Other that, I would suggest you leave the domain, use adcli to make sure the computer account was deleted (and delete it if needed), then restart, rejoin the domain using the Gnome control panel, and hopefully that works?

2 Likes

Nailed it! I used realm leave to disconnnect, rebooted the machine, and then logged added the domain admin account as a user. Successfully joined and added the user, and then was able to add my domain user.

Thanks for the help!!