[SOLVED] SSSD is offline

Dears,

I have configured the KRB5 and SSSD to authenticate with AD Windows Server 2012R2, joining RHEL8 machine (test) to the AD is done, however, domain users are not getting retrieved and I always receive ": no such user" with id command and Global catalogue seems down (it's working from the windows server side). Below is my configuration:


[root@test ~]# realm join --user vmadmin WIN-JGT3N0TES8J-CA.hadoop.com
Completed successfully and I can see "test" server in the AD computers.

[root@test ~]# realm list
hadoop.com
type: kerberos
realm-name: HADOOP.COM
domain-name: hadoop.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins


[root@test ~]# sssctl domain-status hadoop.com
Online status: Offline

Active servers:
AD Global Catalog: not connected
AD Domain Controller: win-jgt3n0tes8j-ca.hadoop.com

Discovered AD Global Catalog servers:
- win-jgt3n0tes8j-ca.hadoop.com

Discovered AD Domain Controller servers:
- win-jgt3n0tes8j-ca.hadoop.com

[root@test ~]# systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─network.conf
Active: active (running) since Sun 2022-07-03 08:12:46 UTC; 1s ago
Main PID: 1502 (sssd)
Tasks: 5 (limit: 4700)
Memory: 39.1M
CGroup: /system.slice/sssd.service
├─1502 /usr/sbin/sssd -i --logger=files
├─1504 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
├─1505 /usr/libexec/sssd/sssd_be --domain hadoop.com --uid 0 --gid 0 --logger=files
├─1507 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─1508 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Jul 03 08:12:46 test.hadoop.com systemd[1]: sssd.service: Succeeded.
Jul 03 08:12:46 test.hadoop.com systemd[1]: Stopped System Security Services Daemon.
Jul 03 08:12:46 test.hadoop.com systemd[1]: Starting System Security Services Daemon...
Jul 03 08:12:46 test.hadoop.com sssd[1502]: Starting up
Jul 03 08:12:46 test.hadoop.com sssd_be[1504]: Starting up
Jul 03 08:12:46 test.hadoop.com sssd_be[1505]: Starting up
Jul 03 08:12:46 test.hadoop.com sssd_pam[1508]: Starting up
Jul 03 08:12:46 test.hadoop.com sssd_nss[1507]: Starting up
Jul 03 08:12:46 test.hadoop.com sssd_be[1505]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
Jul 03 08:12:46 test.hadoop.com systemd[1]: Started System Security Services Daemon.


[root@test ~]# klist -l
Principal name Cache name
-------------- ----------
mhm@HADOOP.COM KCM:0
khm@HADOOP.COM KCM:0:63744 (Expired)
user1@HADOOP.COM KCM:0:61402 (Expired)
yoyo@HADOOP.COM KCM:0:51946 (Expired)
vmadmin@HADOOP.COM KCM:0:13576 (Expired)

[root@test ~]# cat /etc/sssd/sssd.conf

[sssd]
domains = hadoop.com
config_file_version = 2
services = nss, pam

[domain/hadoop.com]
ad_server = win-jgt3n0tes8j-ca.hadoop.com
ad_domain = hadoop.com
krb5_realm = HADOOP.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad

[root@test ~]# cat /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRINGersistent:%{uid}
udp_preference_limit = 0
default_realm = HADOOP.COM

[realms]
HADOOP.COM = {
kdc = WIN-JGT3N0TES8J-CA.hadoop.com
admin_server = WIN-JGT3N0TES8J-CA.hadoop.com
}

[domain_realm]
.example.com = HADOOP.COM
example.com = HADOOP.COM

Thanks in advance

Hi all,

It's working now, assure that the /etc/resolv.conf is confiugred properly, and then I had to fix the keytab errors by:


realm leave --user administrator <domain_name>
kinit administrator
realm join --user administrator <domain_name>

Regards