I repeated it with focal, and right after the join, id user@<REALM> worked, and I have no /etc/krb5.conf. There must be something else going on over there.
Can you please make these changes:
- sudo apt install sssd-dbug (if not already installed)
- /etc/sssd/sssd.conf:
SSSD nss user lookup result:
- user name: <email address hidden>
- user id: 1725801106
- group id: 1725800513
- gecos: John Smith
- home directory: /<email address hidden>
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: <email address hidden>
- uidNumber: 1725801106
- gidNumber: 1725800513
- gecos: John Smith
- homeDirectory: not set
- loginShell: not set
I repeated it with focal, and right after the join, id user@<REALM> worked, and I have no /etc/krb5.conf. There must be something else going on over there.
Can you please make these changes: sssd.conf:
- sudo apt install sssd-dbug (if not already installed)
- /etc/sssd/
[sssd]
services = nss, pam, ifp <--- add "ifp"
debug_level = 6 <--- add
[nss] <--- add
debug_level = 6 <--- add
[pam] <--- add
debug_level = 6 <--- add
[domain/...]
debug_level = 6 <--- add
Then restart sssd: sudo systemctl restart sssd
Now the /var/log/ sssd/sssd_ nss.log file shall have debug info.
With the "ifp" service, you can now use sssctl commands like these: sssd-desktop- team:~# sssctl domain-list
root@focal-
ad1.example.com
ad2.example.com
root@focal- sssd-desktop- team:~# sssctl domain-status ad1.example.com
Online status: Online
Active servers: ad1.example. com
AD Global Catalog: not connected
AD Domain Controller: server1.
Discovered AD Global Catalog servers: ad1.example. com
None so far.
Discovered AD Domain Controller servers:
- server1.
root@focal- sssd-desktop- team:~# sssctl user-checks <email address hidden>
user: <email address hidden>
action: acct
service: system-auth
SSSD nss user lookup result:
- user name: <email address hidden>
- user id: 1725801106
- group id: 1725800513
- gecos: John Smith
- home directory: /<email address hidden>
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: <email address hidden>
- uidNumber: 1725801106
- gidNumber: 1725800513
- gecos: John Smith
- homeDirectory: not set
- loginShell: not set
testing pam_acct_mgmt
pam_acct_mgmt: Permission denied
PAM Environment:
- no env -
root@focal- sssd-desktop- team:~# sssctl user-show <email address hidden>
Name: <email address hidden>
Cache entry creation date: 08/28/20 18:37:19
Cache entry last update time: 08/28/20 18:47:32
Cache entry expiration time: 08/28/20 20:17:32
Initgroups expiration time: 08/28/20 20:17:32
Cached in InfoPipe: No