I have my fedora workstation joined to my active directory properly, using my domain administrator account. All seems well, but I can’t login using my AD accounts. Using id gets me a failure on the username (not found)
The error on the sssd (systemctl status sssd) is: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Any ideas? Like I mentioned above, I’m able to join the domain using my domain admin account, but that error seems to prevent users from being authenticated or even found in the Active Directory.
I am assuming that you used Gnome’s Settings app to join using the domain administrator account?
Either way, I think by default you have to explicitly add each domain user that should be able to use the computer. So you need to press “unlock” and add domain users that should be able to log in one-by-one.
Thanks for the quick reply. I used the realm join from the command line to join the domain originally. When I try to add user account through the settings app, I got a “user not found” message.
I also see the pre-authentication failure, though it does not seem to have any ill effects. I don’t see the “Unable to create GSSAPI-encrypted LDAP connection.” part though…
You should also check the computer account before you exit the domain, perhaps that was not created properly? Use adcli show-computer <computer-name> to see if it’s there.
Other that, I would suggest you leave the domain, use adcli to make sure the computer account was deleted (and delete it if needed), then restart, rejoin the domain using the Gnome control panel, and hopefully that works?
Nailed it! I used realm leave to disconnnect, rebooted the machine, and then logged added the domain admin account as a user. Successfully joined and added the user, and then was able to add my domain user.