Access Denied to AD Users from Kubuntu clients joined to domain

After access over sssd has been working quite well for months today 3 of my 4 client kubuntu-machines stopped giving access, and I have no clue why. Rejoining them to ad doesn’t help this time.
/var/log/auth.log just says:

Jul 4 19:31:08 rechner1 sddm-helper: pam_unix(sddm:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jul 4 19:31:11 rechner1 sddm-helper: pam_sss(sddm:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
Jul 4 19:31:11 rechner1 sddm-helper: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
Jul 4 19:31:11 rechner1 sddm-helper: pam_sss(sddm:account): Access denied for user 4 (System error)

Any hints or ideas please? Thanks.

Do these commands work on the server?

id ""
getent passwd ""
kinit -V ""

On the client, a join test is correct?

sudo net ads testjoin
Some troubleshooting documentation


Hello, and thanks for your answer. Meanwhile another person had popped up with the same problem, and it seems to be related to ubuntu updates causing the problem:

I’ve followed that solution and it works so far, but don’t know if this has any drawbacks…

1 Like

That workaround is telling sssd to always allow access.
sssd troubleshooting states this:

I’m receiving Access denied for user $user: 6 (Permission denied)

  • Authentication went fine, but the user was denied access to the client machine. You can temporarily disable access control with setting access_provider=permit temporarily. Don’t forget to reset the access provider to a stricter setting after finding out the root cause!

So we should set that back to “ad” after this gets fixed in ubuntu.

What does always allow access mean? I still need correct credentials to log into ubuntu.

What are you using in kubuntu to access your AD?


I just followed these steps, part two (without the ZFS-part):

1 Like

First time i ever see this, i am used to PBIS-Open ! :slight_smile:

wget -O - sudo apt-key add -

sudo wget -O /etc/apt/sources.list.d/pbiso.list

sudo apt-get update

sudo apt-get install pbis-open

  • Restart.

Check if your domain is reachable
nslookup yourdomain.local

something like this…

sudo domainjoin-cli join --disable ssh yourdomain domainadmin@yourdomain

  • At first your sudo pass
  • Then your domain admin pass
  • Restart

1 Like


Hi Walter

Looks interesting, but hard to find PBIS on their page / site (

It also looks like PBIS-Open is missing the most interesting part: GP (Group Policy) integration, which is only available in the (paid for) enterprise edition.

I’m always careful with such “open source” offers which have “Enterprise” options - simply with Open-Source, it would not be possible to make an enterprise version without resorting to a BLOB or something similiar… And a lot of such offers are often only eye catchers, and are dropped after a year or two.

If I can get AD to work using pure open source / samba, I do prefer that, even if it’s a mite more work.

My 2 cents

1 Like

Agreed! I will try that other way and see what changes lol! :slight_smile:

I never used GP in a Linux Enviroment… A.D. for me its only for user logon with linux stations. I did not even know that some GP was possible with linux.

More control like Rsat on Linux is phpldapadmin