Error Joining MS AD

Support
#1

NethServer Version: 7.9.2009
Module: Users and groups
Hello all
I am trying to join AD (MS server 2019) using cockpit I have these error in the gui:

Remote AD not joined.
The following command has failed:
system-accounts-provider/update

when I look in the /var/log/message I get theses

Jan 28 11:06:23 nethserver210 realmd: Enter @*.local’s password:
Jan 28 11:06:23 nethserver210 realmd: Failed to join domain: failed to lookup DC info for domain ‘********.local’ over rpc: The attempted logon is invalid. This is either due to a bad username or authentication information.
Jan 28 11:06:23 nethserver210 realmd: ! Joining the domain ********.local failed

of cours the user and passe are good

when I try to validate the user/pass in the gui it appear ok but I get these message in /var/log/message:

Jan 28 10:59:51 nethserver210 cockpit-bridge: No entry for terminal type “unknown”;
Jan 28 10:59:51 nethserver210 cockpit-bridge: using dumb terminal settings.
Jan 28 10:59:52 nethserver210 cockpit-bridge: Traceback (most recent call last):
Jan 28 10:59:52 nethserver210 cockpit-bridge: File “”, line 3, in
Jan 28 10:59:52 nethserver210 cockpit-bridge: KeyError: ‘SECRETS/MACHINE_PASSWORD/WORKGROUP’

if I pass the failing command in cli I get and error
“type”: “EventFailed”,
“id”: 1643129849,
“message”: " * Resolving: _ldap._tcp.michaudville.local\n"

I can ping/resolve everything
joining the domain work with the old interface but I can’t get the user to login after for vpn QRcode (look like user right)

I can join Domain in cli and query user it work
its a VM and promiscuous mode is enable
I have try with other version(7.6) and clean install with always the same result
I don’t know if anyone have any idea I start to run out of ressource

thanks a lot !!
have a great day!

#2

Is there a correct time on the systems?

Let’s check the account provider on cli:

account-provider-test dump

Are there errors in the log files?
Does it work without 2FA?

#3

yes the time is accurate

[root@Neth248 ~]# account-provider-test dump
{
“BindDN” : “msband@domain.local”,
“LdapURI” : “ldap://dc.domain.local”,
“DiscoverDcType” : “dns”,
“StartTls” : “1”,
“port” : 389,
“host” : “dc.domain.local”,
“isAD” : “1”,
“isLdap” : “”,
“UserDN” : “DC=domain,DC=local”,
“GroupDN” : “DC=domain,DC=local”,
“BindPassword” : “**********”,
“BaseDN” : “DC=domain,DC=local”,
“LdapUriDn” : “ldap:///dc%3Ddomain%2Cdc%3Dlocal”

it work when we don’t use 2FA since I don’t need to connect to the web page with the user

here the message in /var/log/messages when I try to log with the user account

Jan 31 11:47:01 Neth248 systemd: Starting Cockpit Web Service for Users…
Jan 31 11:47:01 Neth248 remotectl: /usr/bin/chcon: can’t apply partial context to unlabeled file ‘/etc/cockpit-user/cockpit/ws-certs.d/0-self-signed.cert’
Jan 31 11:47:01 Neth248 systemd: Started Cockpit Web Service for Users.
Jan 31 11:47:01 Neth248 remotectl: remotectl: couldn’t change SELinux type context ‘etc_t’ for certificate: /etc/cockpit-user/cockpit/ws-certs.d/0-self-signed.cert: Child process exited with code 1
Jan 31 11:47:01 Neth248 cockpit-ws: Using certificate: /etc/cockpit-user/cockpit/ws-certs.d/0-self-signed.cert
Jan 31 11:47:01 Neth248 cockpit-session: pam_ssh_add: Failed adding some keys
Jan 31 11:47:01 Neth248 systemd: Created slice User Slice of me@domain.local.
Jan 31 11:47:01 Neth248 systemd: Started Session 4 of user me@domain.local.
Jan 31 11:47:01 Neth248 systemd-logind: New session 4 of user me@domain.local.
Jan 31 11:47:01 Neth248 oddjobd: Error org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not determine security context for ‘:1.273’.
Jan 31 11:47:01 Neth248 cockpit-ws: cockpit-session: pam: Creating home directory for me@domain.local.
Jan 31 11:47:02 Neth248 cockpit-ws: logged in user session
Jan 31 11:47:02 Neth248 cockpit-ws: New connection to session from 127.0.0.1
Jan 31 11:47:03 Neth248 cockpit-bridge: We trust you have received the usual lecture from the local System
Jan 31 11:47:03 Neth248 cockpit-bridge: Administrator. It usually boils down to these three things:
Jan 31 11:47:03 Neth248 cockpit-bridge: #1) Respect the privacy of others.
Jan 31 11:47:03 Neth248 cockpit-bridge: #2) Think before you type.
Jan 31 11:47:03 Neth248 cockpit-bridge: #3) With great power comes great responsibility.
Jan 31 11:47:03 Neth248 cockpit-bridge: sudo: no tty present and no askpass program specified

thanks a bunch for the super fast answer

#4

Did you try to login just with username, without domainname?

Are shell policy override and user settings page enabled?

#5

just username give same error in logs

yes both are at on

#6

Did you create a dedicated account in AD as explained here?

Maybe there is more information in /var/log/secure ?

#7

yes the dedicated account are in place

we got interseting thing in the secure logs
Jan 31 15:34:43 Neth248 cockpit-session: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1 user=user
Jan 31 15:34:43 Neth248 cockpit-session: pam_listfile(cockpit:auth): Refused user user for service cockpit
Jan 31 15:34:43 Neth248 cockpit-session: pam_unix(cockpit:session): session opened for user user by (uid=0)
Jan 31 15:34:43 Neth248 polkitd[791]: Registered Authentication Agent for unix-session:13 (system bus name :1.332 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jan 31 15:34:45 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:47 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-password-policy/read
Jan 31 15:34:49 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/hints
Jan 31 15:34:52 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-task/read
Jan 31 15:34:54 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read

#8

I tested with Win 2019 as remote AD and the login to the user settings page for setting up 2FA works here. The user settings page is available at https://server.domain.local/user-settings

I created an account “manager” in the Windows AD.

grafik

Here are my account provider settings:

grafik

3 Likes
#9

maybe its because I didn’t join the domain with cockpit but with the old interface

Why cockpit refused the acces to the service?
is there a way to put those user in sudoer so they can read?

#10

when I try to join domain with cockpit and I copy/paste the command it failed there

“steps”: 3,
“pid”: 4751,
“args”: “”,
“event”: “nethserver-sssd-leave”
}
{
“step”: 1,
“pid”: 4751,
“action”: “S01nethserver-sssd-leave”,
“event”: “nethserver-sssd-leave”,
“state”: “running”
}
{
“progress”: “0.33”,
“time”: “0.045413”,
“exit”: 0,
“event”: “nethserver-sssd-leave”,
“state”: “done”,
“step”: 1,
“pid”: 4751,
“action”: “S01nethserver-sssd-leave”
}
{
“step”: 2,
“pid”: 4751,
“action”: “S02nethserver-sssd-cleanup”,
“event”: “nethserver-sssd-leave”,
“state”: “running”
}
{
“progress”: “0.67”,
“time”: “0.009512”,
“exit”: 0,
“event”: “nethserver-sssd-leave”,
“state”: “done”,
“step”: 2,
“pid”: 4751,
“action”: “S02nethserver-sssd-cleanup”
}
{
“step”: 3,
“pid”: 4751,
“action”: “S05generic_template_expand”,
“event”: “nethserver-sssd-leave”,
“state”: “running”
}
{
“progress”: “1.00”,
“time”: “0.082647”,
“exit”: 0,
“event”: “nethserver-sssd-leave”,
“state”: “done”,
“step”: 3,
“pid”: 4751,
“action”: “S05generic_template_expand”
}
{
“pid”: 4751,
“status”: “success”,
“event”: “nethserver-sssd-leave”
}
{
“type”: “EventFailed”,
“id”: 1643678805,
“message”: " * Resolving: _ldap._tcp.domain.local\n"

#11

Did you already try to leave and rejoin AD as explained here?

#12

with cockpit I can’t leave or join I just get error
with the old interface it work leave and join but I get the user problem

#13

I didn’t enable StartTLS, maybe that’s the issue?

The join to AD seems ok even if there’s an error message in cockpit. Let’s check if sssd is working by executing following command:

getent passwd administrator

Here is the messages log part of a working join to a Win Server 2019 DC. You may compare it with your log. 
Feb  1 23:20:11 testserver2 esmith::event[30370]: Event: nethserver-sssd-leave
Feb  1 23:20:11 testserver2 systemd: Stopping Realm and Domain Configuration...
Feb  1 23:20:11 testserver2 systemd: Stopped Realm and Domain Configuration.
Feb  1 23:20:11 testserver2 esmith::event[30370]: Action: /etc/e-smith/events/nethserver-sssd-leave/S01nethserver-sssd-leave SUCCESS [0.257295]
Feb  1 23:20:11 testserver2 esmith::event[30370]: [NOTICE] wipe out sssd databases and configuration
Feb  1 23:20:12 testserver2 esmith::event[30370]: Action: /etc/e-smith/events/nethserver-sssd-leave/S02nethserver-sssd-cleanup SUCCESS [0.065549]
Feb  1 23:20:12 testserver2 esmith::event[30370]: expanding /etc/krb5.conf
Feb  1 23:20:12 testserver2 esmith::event[30370]: expanding /etc/samba/smb.conf
Feb  1 23:20:12 testserver2 esmith::event[30370]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.832051]
Feb  1 23:20:12 testserver2 esmith::event[30370]: Event: nethserver-sssd-leave SUCCESS
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|none|Realm||ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|none|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|none|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:16 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:16 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup|DOMAIN|status|disabled
Feb  1 23:20:16 testserver2 dbus[676]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service'
Feb  1 23:20:16 testserver2 systemd: Starting Realm and Domain Configuration...
Feb  1 23:20:17 testserver2 dbus[676]: [system] Successfully activated service 'org.freedesktop.realmd'
Feb  1 23:20:17 testserver2 systemd: Started Realm and Domain Configuration.
Feb  1 23:20:17 testserver2 realmd: * Resolving: _ldap._tcp.domain.local
Feb  1 23:20:17 testserver2 realmd: * Performing LDAP DSE lookup on: 192.168.1.177
Feb  1 23:20:17 testserver2 realmd: * Successfully discovered: domain.local
Feb  1 23:20:17 testserver2 dbus[676]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
Feb  1 23:20:17 testserver2 systemd: Starting Hostname Service...
Feb  1 23:20:17 testserver2 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Feb  1 23:20:17 testserver2 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.6ID1G1 -U administrator@domain.local ads join domain.local
Feb  1 23:20:17 testserver2 dbus[676]: [system] Successfully activated service 'org.freedesktop.hostname1'
Feb  1 23:20:17 testserver2 systemd: Started Hostname Service.
Feb  1 23:20:21 testserver2 realmd: Enter administrator@domain.local's password:
Feb  1 23:20:21 testserver2 realmd: Using short domain name -- DOMAIN
Feb  1 23:20:21 testserver2 realmd: Joined 'TESTSERVER2' to dns domain 'domain.local'
Feb  1 23:20:21 testserver2 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.6ID1G1 -U administrator@domain.local ads keytab create
Feb  1 23:20:23 testserver2 realmd: Enter administrator@domain.local's password:
Feb  1 23:20:23 testserver2 realmd: * /usr/bin/systemctl enable sssd.service
Feb  1 23:20:23 testserver2 realmd: Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
Feb  1 23:20:23 testserver2 systemd: Reloading.
Feb  1 23:20:24 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:24 testserver2 realmd: * /usr/bin/systemctl restart sssd.service
Feb  1 23:20:24 testserver2 systemd: Starting System Security Services Daemon...
Feb  1 23:20:25 testserver2 sssd[sssd]: Starting up
Feb  1 23:20:25 testserver2 sssd[be[domain.local]]: Starting up
Feb  1 23:20:25 testserver2 sssd[nss]: Starting up
Feb  1 23:20:25 testserver2 sssd[pam]: Starting up
Feb  1 23:20:25 testserver2 systemd: Started System Security Services Daemon.
Feb  1 23:20:25 testserver2 systemd: Reached target User and Group Name Lookups.
Feb  1 23:20:25 testserver2 realmd: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Feb  1 23:20:26 testserver2 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb  1 23:20:26 testserver2 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb  1 23:20:27 testserver2 systemd: Reloading.
Feb  1 23:20:27 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:28 testserver2 systemd: Reloading.
Feb  1 23:20:28 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:29 testserver2 systemd: Reloading.
Feb  1 23:20:29 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:29 testserver2 systemd: Started privileged operations for unprivileged applications.
Feb  1 23:20:30 testserver2 realmd: * Successfully enrolled machine in realm
Feb  1 23:20:30 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup|DOMAIN|status|disabled
Feb  1 23:20:30 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup|DOMAIN|status|enabled
Feb  1 23:20:31 testserver2 esmith::event[30867]: Event: nethserver-sssd-save
Feb  1 23:20:31 testserver2 systemd: Stopping System Security Services Daemon...
Feb  1 23:20:31 testserver2 sssd[be[domain.local]]: Shutting down
Feb  1 23:20:31 testserver2 sssd[nss]: Shutting down
Feb  1 23:20:31 testserver2 sssd[pam]: Shutting down
Feb  1 23:20:31 testserver2 systemd: Stopped System Security Services Daemon.
Feb  1 23:20:31 testserver2 esmith::event[30867]: [NOTICE] wipe out sssd databases and configuration
Feb  1 23:20:31 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S01nethserver-sssd-cleanup SUCCESS [0.15743]
Feb  1 23:20:31 testserver2 esmith::event[30867]: expanding /etc/krb5.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/backup-config.d/nethserver-sssd.include
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/openldap/ldap.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/samba/smb.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/sssd/sssd.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/nethserver/cockpit.allow
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/nethserver/ldappasswd.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/pam.d/cockpit
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/ssh/sshd_config
Feb  1 23:20:33 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [1.630746]
Feb  1 23:20:34 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S20nethserver-sssd-conf SUCCESS [1.242847]
Feb  1 23:20:37 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S30nethserver-sssd-initkeytabs SUCCESS [3.465462]
Feb  1 23:20:38 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S80nethserver-sssd-notifyclients SUCCESS [0.568598]
Feb  1 23:20:38 testserver2 systemd: Reloading.
Feb  1 23:20:39 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:39 testserver2 systemd: Starting System Security Services Daemon...
Feb  1 23:20:40 testserver2 sssd[sssd]: Starting up
Feb  1 23:20:40 testserver2 sssd[be[domain.local]]: Starting up
Feb  1 23:20:41 testserver2 sssd[nss]: Starting up
Feb  1 23:20:41 testserver2 sssd[pam]: Starting up
Feb  1 23:20:41 testserver2 systemd: Started System Security Services Daemon.
Feb  1 23:20:41 testserver2 esmith::event[30867]: [INFO] sssd has been started
Feb  1 23:20:41 testserver2 systemd: Reloading.
Feb  1 23:20:41 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:42 testserver2 esmith::event[30867]: [INFO] service sshd restart
Feb  1 23:20:42 testserver2 systemd: Stopping OpenSSH server daemon...
Feb  1 23:20:42 testserver2 sshd[908]: Received signal 15; terminating.
Feb  1 23:20:42 testserver2 systemd: Stopped OpenSSH server daemon.
Feb  1 23:20:42 testserver2 sshd[31998]: Server listening on 0.0.0.0 port 2222.
Feb  1 23:20:42 testserver2 systemd: Starting OpenSSH server daemon...
Feb  1 23:20:42 testserver2 sshd[31998]: Server listening on :: port 2222.
Feb  1 23:20:42 testserver2 systemd: Started OpenSSH server daemon.
Feb  1 23:20:42 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [4.370187]
Feb  1 23:20:42 testserver2 esmith::event[30867]: Event: nethserver-sssd-save SUCCESS

`

#14

the main difference is there
Feb 2 11:51:16 Neth248 realmd: Enter administrator@domain.local’s password:
Feb 2 11:51:16 Neth248 realmd: Failed to join domain: failed to lookup DC info for domain ‘domain.local’ over rpc: The attempted logon is invalid. This is either due to a bad username or authentication information.
Feb 2 11:51:16 Neth248 realmd: ! Joining the domain domain.local failed

after that error nethserver revert everything and the sssd service don’t want to start

oh and with the StartTLS I have see it to that you don’t have it so I tried with and without but same result

#15

Sorry, I’m out of ideas, from the log it seems like bad credentials but you already excluded that.
Did you try to create a new admin account with a simple password on the DC for joining, maybe it’s an issue with a special char in the password?

Please also check (if not already done):

  • NethServer should just use the DC as primary DNS server
  • dc.domain.local and domain.local should be pingable from the NethServer and return the IP of the DC
#16

ho yes, you nail it !
the admin password was to complex
cockpit join the domain and I manage to leave and join again
sadly the user web page still does not work with the same error
system-task/read

#17

Great that the AD join worked now.

I think I could reproduce the login issue. It was not possible to login to the user settings page and I got following error in messages log:

cockpit-session: pam_listfile(cockpit:auth): Refused user markus for service cockpit

I didn’t get this one.

I did the following steps and it worked again but I’m not sure what exactly helped:

  • Unlock the user that can’t login
  • Add the user to domain admins group, login in, remove the user again from the group
  • Reboot the servers
#18

I have try your step but it didn’t do the trick
I don’t know if its the same for you but for me no user can open the user webpage (even the admin)

then I tried for testing purpose to add my user to the sudoer with this

EDITOR=nano visudo
and add at the bottom of the file
username ALL=(ALL) NOPASSWD:ALL

and it work, I can see the page
so the problem (imho) its that the domain user dont have right to read and execute thoses files

Jan 31 15:34:45 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:47 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-password-policy/read
Jan 31 15:34:49 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/hints
Jan 31 15:34:52 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-task/read
Jan 31 15:34:54 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read

how I can give the the right to domain user to only those file/exe so its stay safe and secure

#19

Nethserver configuration is in /etc/sudoers.d/. In 55_nsapi_perms you find the domain users/admins group.

Please also check the file /etc/sudoers, the last line should be

#includedir /etc/sudoers.d

See also Invalid credentials when logging in to admin webinterface - #32 by mrmarkuz

#20

this is what I have in 55_nsapi_perms

10base

%locals ALL=NOPASSWD: NSAPI_PUBLIC
%domain\ users ALL=NOPASSWD: NSAPI_PUBLIC

20groups

90admins

%domain\ admins ALL=NOPASSWD: NSAPI_ADMINS, NSAPI_NETHSERVER_ANTIVIRUS, NSAPI_NETHSERVER_BLACKLIST, NSAPI_NETHSERVER_FAIL2BAN, NSAPI_NETHSERVER_FIREWA$
admin ALL=NOPASSWD: NSAPI_ADMINS, NSAPI_NETHSERVER_ANTIVIRUS, NSAPI_NETHSERVER_BLACKLIST, NSAPI_NETHSERVER_FAIL2BAN, NSAPI_NETHSERVER_FIREWALL_BASE, N$

it seems ok and yes the last line is #includedir /etc/sudoers.d
but the only way I manage to go in user webpage is if I put : username ALL=(ALL) NOPASSWD:ALL