Error Joining MS AD

Support
1

NethServer Version: 7.9.2009
Module: Users and groups
Hello all
I am trying to join AD (MS server 2019) using cockpit I have these error in the gui:

Remote AD not joined.
The following command has failed:
system-accounts-provider/update

when I look in the /var/log/message I get theses

Jan 28 11:06:23 nethserver210 realmd: Enter @*.local’s password:
Jan 28 11:06:23 nethserver210 realmd: Failed to join domain: failed to lookup DC info for domain ‘********.local’ over rpc: The attempted logon is invalid. This is either due to a bad username or authentication information.
Jan 28 11:06:23 nethserver210 realmd: ! Joining the domain ********.local failed

of cours the user and passe are good

when I try to validate the user/pass in the gui it appear ok but I get these message in /var/log/message:

Jan 28 10:59:51 nethserver210 cockpit-bridge: No entry for terminal type “unknown”;
Jan 28 10:59:51 nethserver210 cockpit-bridge: using dumb terminal settings.
Jan 28 10:59:52 nethserver210 cockpit-bridge: Traceback (most recent call last):
Jan 28 10:59:52 nethserver210 cockpit-bridge: File “”, line 3, in
Jan 28 10:59:52 nethserver210 cockpit-bridge: KeyError: ‘SECRETS/MACHINE_PASSWORD/WORKGROUP’

if I pass the failing command in cli I get and error
“type”: “EventFailed”,
“id”: 1643129849,
“message”: " * Resolving: _ldap._tcp.michaudville.local\n"

I can ping/resolve everything
joining the domain work with the old interface but I can’t get the user to login after for vpn QRcode (look like user right)

I can join Domain in cli and query user it work
its a VM and promiscuous mode is enable
I have try with other version(7.6) and clean install with always the same result
I don’t know if anyone have any idea I start to run out of ressource

thanks a lot !!
have a great day!

2

Is there a correct time on the systems?

Let’s check the account provider on cli:

account-provider-test dump

Are there errors in the log files?
Does it work without 2FA?

3

yes the time is accurate

[root@Neth248 ~]# account-provider-test dump
{
“BindDN” : “msband@domain.local”,
“LdapURI” : “ldap://dc.domain.local”,
“DiscoverDcType” : “dns”,
“StartTls” : “1”,
“port” : 389,
“host” : “dc.domain.local”,
“isAD” : “1”,
“isLdap” : “”,
“UserDN” : “DC=domain,DC=local”,
“GroupDN” : “DC=domain,DC=local”,
“BindPassword” : “**********”,
“BaseDN” : “DC=domain,DC=local”,
“LdapUriDn” : “ldap:///dc%3Ddomain%2Cdc%3Dlocal”

it work when we don’t use 2FA since I don’t need to connect to the web page with the user

here the message in /var/log/messages when I try to log with the user account

Jan 31 11:47:01 Neth248 systemd: Starting Cockpit Web Service for Users…
Jan 31 11:47:01 Neth248 remotectl: /usr/bin/chcon: can’t apply partial context to unlabeled file ‘/etc/cockpit-user/cockpit/ws-certs.d/0-self-signed.cert’
Jan 31 11:47:01 Neth248 systemd: Started Cockpit Web Service for Users.
Jan 31 11:47:01 Neth248 remotectl: remotectl: couldn’t change SELinux type context ‘etc_t’ for certificate: /etc/cockpit-user/cockpit/ws-certs.d/0-self-signed.cert: Child process exited with code 1
Jan 31 11:47:01 Neth248 cockpit-ws: Using certificate: /etc/cockpit-user/cockpit/ws-certs.d/0-self-signed.cert
Jan 31 11:47:01 Neth248 cockpit-session: pam_ssh_add: Failed adding some keys
Jan 31 11:47:01 Neth248 systemd: Created slice User Slice of me@domain.local.
Jan 31 11:47:01 Neth248 systemd: Started Session 4 of user me@domain.local.
Jan 31 11:47:01 Neth248 systemd-logind: New session 4 of user me@domain.local.
Jan 31 11:47:01 Neth248 oddjobd: Error org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not determine security context for ‘:1.273’.
Jan 31 11:47:01 Neth248 cockpit-ws: cockpit-session: pam: Creating home directory for me@domain.local.
Jan 31 11:47:02 Neth248 cockpit-ws: logged in user session
Jan 31 11:47:02 Neth248 cockpit-ws: New connection to session from 127.0.0.1
Jan 31 11:47:03 Neth248 cockpit-bridge: We trust you have received the usual lecture from the local System
Jan 31 11:47:03 Neth248 cockpit-bridge: Administrator. It usually boils down to these three things:
Jan 31 11:47:03 Neth248 cockpit-bridge: #1) Respect the privacy of others.
Jan 31 11:47:03 Neth248 cockpit-bridge: #2) Think before you type.
Jan 31 11:47:03 Neth248 cockpit-bridge: #3) With great power comes great responsibility.
Jan 31 11:47:03 Neth248 cockpit-bridge: sudo: no tty present and no askpass program specified

thanks a bunch for the super fast answer

4

Did you try to login just with username, without domainname?

Are shell policy override and user settings page enabled?

5

just username give same error in logs

yes both are at on

6

Did you create a dedicated account in AD as explained here?

Maybe there is more information in /var/log/secure ?

7

yes the dedicated account are in place

we got interseting thing in the secure logs
Jan 31 15:34:43 Neth248 cockpit-session: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1 user=user
Jan 31 15:34:43 Neth248 cockpit-session: pam_listfile(cockpit:auth): Refused user user for service cockpit
Jan 31 15:34:43 Neth248 cockpit-session: pam_unix(cockpit:session): session opened for user user by (uid=0)
Jan 31 15:34:43 Neth248 polkitd[791]: Registered Authentication Agent for unix-session:13 (system bus name :1.332 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jan 31 15:34:45 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:47 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-password-policy/read
Jan 31 15:34:49 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/hints
Jan 31 15:34:52 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-task/read
Jan 31 15:34:54 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read

8

I tested with Win 2019 as remote AD and the login to the user settings page for setting up 2FA works here. The user settings page is available at https://server.domain.local/user-settings

I created an account “manager” in the Windows AD.

grafik

Here are my account provider settings:

grafik

3 Likes
9

maybe its because I didn’t join the domain with cockpit but with the old interface

Why cockpit refused the acces to the service?
is there a way to put those user in sudoer so they can read?

10

when I try to join domain with cockpit and I copy/paste the command it failed there

“steps”: 3,
“pid”: 4751,
“args”: “”,
“event”: “nethserver-sssd-leave”
}
{
“step”: 1,
“pid”: 4751,
“action”: “S01nethserver-sssd-leave”,
“event”: “nethserver-sssd-leave”,
“state”: “running”
}
{
“progress”: “0.33”,
“time”: “0.045413”,
“exit”: 0,
“event”: “nethserver-sssd-leave”,
“state”: “done”,
“step”: 1,
“pid”: 4751,
“action”: “S01nethserver-sssd-leave”
}
{
“step”: 2,
“pid”: 4751,
“action”: “S02nethserver-sssd-cleanup”,
“event”: “nethserver-sssd-leave”,
“state”: “running”
}
{
“progress”: “0.67”,
“time”: “0.009512”,
“exit”: 0,
“event”: “nethserver-sssd-leave”,
“state”: “done”,
“step”: 2,
“pid”: 4751,
“action”: “S02nethserver-sssd-cleanup”
}
{
“step”: 3,
“pid”: 4751,
“action”: “S05generic_template_expand”,
“event”: “nethserver-sssd-leave”,
“state”: “running”
}
{
“progress”: “1.00”,
“time”: “0.082647”,
“exit”: 0,
“event”: “nethserver-sssd-leave”,
“state”: “done”,
“step”: 3,
“pid”: 4751,
“action”: “S05generic_template_expand”
}
{
“pid”: 4751,
“status”: “success”,
“event”: “nethserver-sssd-leave”
}
{
“type”: “EventFailed”,
“id”: 1643678805,
“message”: " * Resolving: _ldap._tcp.domain.local\n"

11

Did you already try to leave and rejoin AD as explained here?

12

with cockpit I can’t leave or join I just get error
with the old interface it work leave and join but I get the user problem

13

I didn’t enable StartTLS, maybe that’s the issue?

The join to AD seems ok even if there’s an error message in cockpit. Let’s check if sssd is working by executing following command:

getent passwd administrator

Here is the messages log part of a working join to a Win Server 2019 DC. You may compare it with your log. 
Feb  1 23:20:11 testserver2 esmith::event[30370]: Event: nethserver-sssd-leave
Feb  1 23:20:11 testserver2 systemd: Stopping Realm and Domain Configuration...
Feb  1 23:20:11 testserver2 systemd: Stopped Realm and Domain Configuration.
Feb  1 23:20:11 testserver2 esmith::event[30370]: Action: /etc/e-smith/events/nethserver-sssd-leave/S01nethserver-sssd-leave SUCCESS [0.257295]
Feb  1 23:20:11 testserver2 esmith::event[30370]: [NOTICE] wipe out sssd databases and configuration
Feb  1 23:20:12 testserver2 esmith::event[30370]: Action: /etc/e-smith/events/nethserver-sssd-leave/S02nethserver-sssd-cleanup SUCCESS [0.065549]
Feb  1 23:20:12 testserver2 esmith::event[30370]: expanding /etc/krb5.conf
Feb  1 23:20:12 testserver2 esmith::event[30370]: expanding /etc/samba/smb.conf
Feb  1 23:20:12 testserver2 esmith::event[30370]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.832051]
Feb  1 23:20:12 testserver2 esmith::event[30370]: Event: nethserver-sssd-leave SUCCESS
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|none|Realm||ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|none|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|none|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:16 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:16 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup|DOMAIN|status|disabled
Feb  1 23:20:16 testserver2 dbus[676]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service'
Feb  1 23:20:16 testserver2 systemd: Starting Realm and Domain Configuration...
Feb  1 23:20:17 testserver2 dbus[676]: [system] Successfully activated service 'org.freedesktop.realmd'
Feb  1 23:20:17 testserver2 systemd: Started Realm and Domain Configuration.
Feb  1 23:20:17 testserver2 realmd: * Resolving: _ldap._tcp.domain.local
Feb  1 23:20:17 testserver2 realmd: * Performing LDAP DSE lookup on: 192.168.1.177
Feb  1 23:20:17 testserver2 realmd: * Successfully discovered: domain.local
Feb  1 23:20:17 testserver2 dbus[676]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
Feb  1 23:20:17 testserver2 systemd: Starting Hostname Service...
Feb  1 23:20:17 testserver2 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Feb  1 23:20:17 testserver2 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.6ID1G1 -U administrator@domain.local ads join domain.local
Feb  1 23:20:17 testserver2 dbus[676]: [system] Successfully activated service 'org.freedesktop.hostname1'
Feb  1 23:20:17 testserver2 systemd: Started Hostname Service.
Feb  1 23:20:21 testserver2 realmd: Enter administrator@domain.local's password:
Feb  1 23:20:21 testserver2 realmd: Using short domain name -- DOMAIN
Feb  1 23:20:21 testserver2 realmd: Joined 'TESTSERVER2' to dns domain 'domain.local'
Feb  1 23:20:21 testserver2 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.6ID1G1 -U administrator@domain.local ads keytab create
Feb  1 23:20:23 testserver2 realmd: Enter administrator@domain.local's password:
Feb  1 23:20:23 testserver2 realmd: * /usr/bin/systemctl enable sssd.service
Feb  1 23:20:23 testserver2 realmd: Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
Feb  1 23:20:23 testserver2 systemd: Reloading.
Feb  1 23:20:24 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:24 testserver2 realmd: * /usr/bin/systemctl restart sssd.service
Feb  1 23:20:24 testserver2 systemd: Starting System Security Services Daemon...
Feb  1 23:20:25 testserver2 sssd[sssd]: Starting up
Feb  1 23:20:25 testserver2 sssd[be[domain.local]]: Starting up
Feb  1 23:20:25 testserver2 sssd[nss]: Starting up
Feb  1 23:20:25 testserver2 sssd[pam]: Starting up
Feb  1 23:20:25 testserver2 systemd: Started System Security Services Daemon.
Feb  1 23:20:25 testserver2 systemd: Reached target User and Group Name Lookups.
Feb  1 23:20:25 testserver2 realmd: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Feb  1 23:20:26 testserver2 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb  1 23:20:26 testserver2 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb  1 23:20:27 testserver2 systemd: Reloading.
Feb  1 23:20:27 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:28 testserver2 systemd: Reloading.
Feb  1 23:20:28 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:29 testserver2 systemd: Reloading.
Feb  1 23:20:29 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:29 testserver2 systemd: Started privileged operations for unprivileged applications.
Feb  1 23:20:30 testserver2 realmd: * Successfully enrolled machine in realm
Feb  1 23:20:30 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup|DOMAIN|status|disabled
Feb  1 23:20:30 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup|DOMAIN|status|enabled
Feb  1 23:20:31 testserver2 esmith::event[30867]: Event: nethserver-sssd-save
Feb  1 23:20:31 testserver2 systemd: Stopping System Security Services Daemon...
Feb  1 23:20:31 testserver2 sssd[be[domain.local]]: Shutting down
Feb  1 23:20:31 testserver2 sssd[nss]: Shutting down
Feb  1 23:20:31 testserver2 sssd[pam]: Shutting down
Feb  1 23:20:31 testserver2 systemd: Stopped System Security Services Daemon.
Feb  1 23:20:31 testserver2 esmith::event[30867]: [NOTICE] wipe out sssd databases and configuration
Feb  1 23:20:31 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S01nethserver-sssd-cleanup SUCCESS [0.15743]
Feb  1 23:20:31 testserver2 esmith::event[30867]: expanding /etc/krb5.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/backup-config.d/nethserver-sssd.include
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/openldap/ldap.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/samba/smb.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/sssd/sssd.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/nethserver/cockpit.allow
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/nethserver/ldappasswd.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/pam.d/cockpit
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/ssh/sshd_config
Feb  1 23:20:33 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [1.630746]
Feb  1 23:20:34 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S20nethserver-sssd-conf SUCCESS [1.242847]
Feb  1 23:20:37 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S30nethserver-sssd-initkeytabs SUCCESS [3.465462]
Feb  1 23:20:38 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S80nethserver-sssd-notifyclients SUCCESS [0.568598]
Feb  1 23:20:38 testserver2 systemd: Reloading.
Feb  1 23:20:39 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:39 testserver2 systemd: Starting System Security Services Daemon...
Feb  1 23:20:40 testserver2 sssd[sssd]: Starting up
Feb  1 23:20:40 testserver2 sssd[be[domain.local]]: Starting up
Feb  1 23:20:41 testserver2 sssd[nss]: Starting up
Feb  1 23:20:41 testserver2 sssd[pam]: Starting up
Feb  1 23:20:41 testserver2 systemd: Started System Security Services Daemon.
Feb  1 23:20:41 testserver2 esmith::event[30867]: [INFO] sssd has been started
Feb  1 23:20:41 testserver2 systemd: Reloading.
Feb  1 23:20:41 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:42 testserver2 esmith::event[30867]: [INFO] service sshd restart
Feb  1 23:20:42 testserver2 systemd: Stopping OpenSSH server daemon...
Feb  1 23:20:42 testserver2 sshd[908]: Received signal 15; terminating.
Feb  1 23:20:42 testserver2 systemd: Stopped OpenSSH server daemon.
Feb  1 23:20:42 testserver2 sshd[31998]: Server listening on 0.0.0.0 port 2222.
Feb  1 23:20:42 testserver2 systemd: Starting OpenSSH server daemon...
Feb  1 23:20:42 testserver2 sshd[31998]: Server listening on :: port 2222.
Feb  1 23:20:42 testserver2 systemd: Started OpenSSH server daemon.
Feb  1 23:20:42 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [4.370187]
Feb  1 23:20:42 testserver2 esmith::event[30867]: Event: nethserver-sssd-save SUCCESS

`

14

the main difference is there
Feb 2 11:51:16 Neth248 realmd: Enter administrator@domain.local’s password:
Feb 2 11:51:16 Neth248 realmd: Failed to join domain: failed to lookup DC info for domain ‘domain.local’ over rpc: The attempted logon is invalid. This is either due to a bad username or authentication information.
Feb 2 11:51:16 Neth248 realmd: ! Joining the domain domain.local failed

after that error nethserver revert everything and the sssd service don’t want to start

oh and with the StartTLS I have see it to that you don’t have it so I tried with and without but same result

15

Sorry, I’m out of ideas, from the log it seems like bad credentials but you already excluded that.
Did you try to create a new admin account with a simple password on the DC for joining, maybe it’s an issue with a special char in the password?

Please also check (if not already done):

  • NethServer should just use the DC as primary DNS server
  • dc.domain.local and domain.local should be pingable from the NethServer and return the IP of the DC
16

ho yes, you nail it !
the admin password was to complex
cockpit join the domain and I manage to leave and join again
sadly the user web page still does not work with the same error
system-task/read

17

Great that the AD join worked now.

I think I could reproduce the login issue. It was not possible to login to the user settings page and I got following error in messages log:

cockpit-session: pam_listfile(cockpit:auth): Refused user markus for service cockpit

I didn’t get this one.

I did the following steps and it worked again but I’m not sure what exactly helped:

  • Unlock the user that can’t login
  • Add the user to domain admins group, login in, remove the user again from the group
  • Reboot the servers
18

I have try your step but it didn’t do the trick
I don’t know if its the same for you but for me no user can open the user webpage (even the admin)

then I tried for testing purpose to add my user to the sudoer with this

EDITOR=nano visudo
and add at the bottom of the file
username ALL=(ALL) NOPASSWD:ALL

and it work, I can see the page
so the problem (imho) its that the domain user dont have right to read and execute thoses files

Jan 31 15:34:45 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:47 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-password-policy/read
Jan 31 15:34:49 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/hints
Jan 31 15:34:52 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-task/read
Jan 31 15:34:54 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read

how I can give the the right to domain user to only those file/exe so its stay safe and secure

19

Nethserver configuration is in /etc/sudoers.d/. In 55_nsapi_perms you find the domain users/admins group.

Please also check the file /etc/sudoers, the last line should be

#includedir /etc/sudoers.d

See also Invalid credentials when logging in to admin webinterface - #32 by mrmarkuz

20

this is what I have in 55_nsapi_perms

10base

%locals ALL=NOPASSWD: NSAPI_PUBLIC
%domain\ users ALL=NOPASSWD: NSAPI_PUBLIC

20groups

90admins

%domain\ admins ALL=NOPASSWD: NSAPI_ADMINS, NSAPI_NETHSERVER_ANTIVIRUS, NSAPI_NETHSERVER_BLACKLIST, NSAPI_NETHSERVER_FAIL2BAN, NSAPI_NETHSERVER_FIREWA$
admin ALL=NOPASSWD: NSAPI_ADMINS, NSAPI_NETHSERVER_ANTIVIRUS, NSAPI_NETHSERVER_BLACKLIST, NSAPI_NETHSERVER_FAIL2BAN, NSAPI_NETHSERVER_FIREWALL_BASE, N$

it seems ok and yes the last line is #includedir /etc/sudoers.d
but the only way I manage to go in user webpage is if I put : username ALL=(ALL) NOPASSWD:ALL