Error Joining MS AD

Did you try to login just with username, without domainname?

Are shell policy override and user settings page enabled?

just username give same error in logs

yes both are at on

Did you create a dedicated account in AD as explained here?

Maybe there is more information in /var/log/secure ?

yes the dedicated account are in place

we got interseting thing in the secure logs
Jan 31 15:34:43 Neth248 cockpit-session: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1 user=user
Jan 31 15:34:43 Neth248 cockpit-session: pam_listfile(cockpit:auth): Refused user user for service cockpit
Jan 31 15:34:43 Neth248 cockpit-session: pam_unix(cockpit:session): session opened for user user by (uid=0)
Jan 31 15:34:43 Neth248 polkitd[791]: Registered Authentication Agent for unix-session:13 (system bus name :1.332 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jan 31 15:34:45 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:47 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-password-policy/read
Jan 31 15:34:49 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/hints
Jan 31 15:34:52 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-task/read
Jan 31 15:34:54 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read

I tested with Win 2019 as remote AD and the login to the user settings page for setting up 2FA works here. The user settings page is available at https://server.domain.local/user-settings

I created an account “manager” in the Windows AD.

grafik

Here are my account provider settings:

grafik

3 Likes

maybe its because I didn’t join the domain with cockpit but with the old interface

Why cockpit refused the acces to the service?
is there a way to put those user in sudoer so they can read?

when I try to join domain with cockpit and I copy/paste the command it failed there

“steps”: 3,
“pid”: 4751,
“args”: “”,
“event”: “nethserver-sssd-leave”
}
{
“step”: 1,
“pid”: 4751,
“action”: “S01nethserver-sssd-leave”,
“event”: “nethserver-sssd-leave”,
“state”: “running”
}
{
“progress”: “0.33”,
“time”: “0.045413”,
“exit”: 0,
“event”: “nethserver-sssd-leave”,
“state”: “done”,
“step”: 1,
“pid”: 4751,
“action”: “S01nethserver-sssd-leave”
}
{
“step”: 2,
“pid”: 4751,
“action”: “S02nethserver-sssd-cleanup”,
“event”: “nethserver-sssd-leave”,
“state”: “running”
}
{
“progress”: “0.67”,
“time”: “0.009512”,
“exit”: 0,
“event”: “nethserver-sssd-leave”,
“state”: “done”,
“step”: 2,
“pid”: 4751,
“action”: “S02nethserver-sssd-cleanup”
}
{
“step”: 3,
“pid”: 4751,
“action”: “S05generic_template_expand”,
“event”: “nethserver-sssd-leave”,
“state”: “running”
}
{
“progress”: “1.00”,
“time”: “0.082647”,
“exit”: 0,
“event”: “nethserver-sssd-leave”,
“state”: “done”,
“step”: 3,
“pid”: 4751,
“action”: “S05generic_template_expand”
}
{
“pid”: 4751,
“status”: “success”,
“event”: “nethserver-sssd-leave”
}
{
“type”: “EventFailed”,
“id”: 1643678805,
“message”: " * Resolving: _ldap._tcp.domain.local\n"

Did you already try to leave and rejoin AD as explained here?

with cockpit I can’t leave or join I just get error
with the old interface it work leave and join but I get the user problem

I didn’t enable StartTLS, maybe that’s the issue?

The join to AD seems ok even if there’s an error message in cockpit. Let’s check if sssd is working by executing following command:

getent passwd administrator

Here is the messages log part of a working join to a Win Server 2019 DC. You may compare it with your log.
Feb  1 23:20:11 testserver2 esmith::event[30370]: Event: nethserver-sssd-leave
Feb  1 23:20:11 testserver2 systemd: Stopping Realm and Domain Configuration...
Feb  1 23:20:11 testserver2 systemd: Stopped Realm and Domain Configuration.
Feb  1 23:20:11 testserver2 esmith::event[30370]: Action: /etc/e-smith/events/nethserver-sssd-leave/S01nethserver-sssd-leave SUCCESS [0.257295]
Feb  1 23:20:11 testserver2 esmith::event[30370]: [NOTICE] wipe out sssd databases and configuration
Feb  1 23:20:12 testserver2 esmith::event[30370]: Action: /etc/e-smith/events/nethserver-sssd-leave/S02nethserver-sssd-cleanup SUCCESS [0.065549]
Feb  1 23:20:12 testserver2 esmith::event[30370]: expanding /etc/krb5.conf
Feb  1 23:20:12 testserver2 esmith::event[30370]: expanding /etc/samba/smb.conf
Feb  1 23:20:12 testserver2 esmith::event[30370]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.832051]
Feb  1 23:20:12 testserver2 esmith::event[30370]: Event: nethserver-sssd-leave SUCCESS
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|none|Realm||ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|none|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|none|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI||Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:14 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:16 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup||status|disabled
Feb  1 23:20:16 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup|DOMAIN|status|disabled
Feb  1 23:20:16 testserver2 dbus[676]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service'
Feb  1 23:20:16 testserver2 systemd: Starting Realm and Domain Configuration...
Feb  1 23:20:17 testserver2 dbus[676]: [system] Successfully activated service 'org.freedesktop.realmd'
Feb  1 23:20:17 testserver2 systemd: Started Realm and Domain Configuration.
Feb  1 23:20:17 testserver2 realmd: * Resolving: _ldap._tcp.domain.local
Feb  1 23:20:17 testserver2 realmd: * Performing LDAP DSE lookup on: 192.168.1.177
Feb  1 23:20:17 testserver2 realmd: * Successfully discovered: domain.local
Feb  1 23:20:17 testserver2 dbus[676]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
Feb  1 23:20:17 testserver2 systemd: Starting Hostname Service...
Feb  1 23:20:17 testserver2 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Feb  1 23:20:17 testserver2 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.6ID1G1 -U administrator@domain.local ads join domain.local
Feb  1 23:20:17 testserver2 dbus[676]: [system] Successfully activated service 'org.freedesktop.hostname1'
Feb  1 23:20:17 testserver2 systemd: Started Hostname Service.
Feb  1 23:20:21 testserver2 realmd: Enter administrator@domain.local's password:
Feb  1 23:20:21 testserver2 realmd: Using short domain name -- DOMAIN
Feb  1 23:20:21 testserver2 realmd: Joined 'TESTSERVER2' to dns domain 'domain.local'
Feb  1 23:20:21 testserver2 realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.6ID1G1 -U administrator@domain.local ads keytab create
Feb  1 23:20:23 testserver2 realmd: Enter administrator@domain.local's password:
Feb  1 23:20:23 testserver2 realmd: * /usr/bin/systemctl enable sssd.service
Feb  1 23:20:23 testserver2 realmd: Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
Feb  1 23:20:23 testserver2 systemd: Reloading.
Feb  1 23:20:24 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:24 testserver2 realmd: * /usr/bin/systemctl restart sssd.service
Feb  1 23:20:24 testserver2 systemd: Starting System Security Services Daemon...
Feb  1 23:20:25 testserver2 sssd[sssd]: Starting up
Feb  1 23:20:25 testserver2 sssd[be[domain.local]]: Starting up
Feb  1 23:20:25 testserver2 sssd[nss]: Starting up
Feb  1 23:20:25 testserver2 sssd[pam]: Starting up
Feb  1 23:20:25 testserver2 systemd: Started System Security Services Daemon.
Feb  1 23:20:25 testserver2 systemd: Reached target User and Group Name Lookups.
Feb  1 23:20:25 testserver2 realmd: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Feb  1 23:20:26 testserver2 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb  1 23:20:26 testserver2 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb  1 23:20:27 testserver2 systemd: Reloading.
Feb  1 23:20:27 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:28 testserver2 systemd: Reloading.
Feb  1 23:20:28 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:29 testserver2 systemd: Reloading.
Feb  1 23:20:29 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:29 testserver2 systemd: Started privileged operations for unprivileged applications.
Feb  1 23:20:30 testserver2 realmd: * Successfully enrolled machine in realm
Feb  1 23:20:30 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup|DOMAIN|status|disabled
Feb  1 23:20:30 testserver2 /usr/libexec/nethserver/api/system-accounts-provider/update[30369]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BaseDN|DC=domain,DC=local|BindDN||BindPassword||DiscoverDcType|dns|GroupDN|DC=domain,DC=local|LdapURI|ldap://winserver19.domain.local|Provider|ad|Realm|DOMAIN.LOCAL|ShellOverrideStatus|enabled|StartTls|disabled|UserDN|DC=domain,DC=local|Workgroup|DOMAIN|status|enabled
Feb  1 23:20:31 testserver2 esmith::event[30867]: Event: nethserver-sssd-save
Feb  1 23:20:31 testserver2 systemd: Stopping System Security Services Daemon...
Feb  1 23:20:31 testserver2 sssd[be[domain.local]]: Shutting down
Feb  1 23:20:31 testserver2 sssd[nss]: Shutting down
Feb  1 23:20:31 testserver2 sssd[pam]: Shutting down
Feb  1 23:20:31 testserver2 systemd: Stopped System Security Services Daemon.
Feb  1 23:20:31 testserver2 esmith::event[30867]: [NOTICE] wipe out sssd databases and configuration
Feb  1 23:20:31 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S01nethserver-sssd-cleanup SUCCESS [0.15743]
Feb  1 23:20:31 testserver2 esmith::event[30867]: expanding /etc/krb5.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/backup-config.d/nethserver-sssd.include
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/openldap/ldap.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/samba/smb.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/sssd/sssd.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/nethserver/cockpit.allow
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/nethserver/ldappasswd.conf
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/pam.d/cockpit
Feb  1 23:20:32 testserver2 esmith::event[30867]: expanding /etc/ssh/sshd_config
Feb  1 23:20:33 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [1.630746]
Feb  1 23:20:34 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S20nethserver-sssd-conf SUCCESS [1.242847]
Feb  1 23:20:37 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S30nethserver-sssd-initkeytabs SUCCESS [3.465462]
Feb  1 23:20:38 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/nethserver-sssd-save/S80nethserver-sssd-notifyclients SUCCESS [0.568598]
Feb  1 23:20:38 testserver2 systemd: Reloading.
Feb  1 23:20:39 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:39 testserver2 systemd: Starting System Security Services Daemon...
Feb  1 23:20:40 testserver2 sssd[sssd]: Starting up
Feb  1 23:20:40 testserver2 sssd[be[domain.local]]: Starting up
Feb  1 23:20:41 testserver2 sssd[nss]: Starting up
Feb  1 23:20:41 testserver2 sssd[pam]: Starting up
Feb  1 23:20:41 testserver2 systemd: Started System Security Services Daemon.
Feb  1 23:20:41 testserver2 esmith::event[30867]: [INFO] sssd has been started
Feb  1 23:20:41 testserver2 systemd: Reloading.
Feb  1 23:20:41 testserver2 systemd: [/usr/lib/systemd/system/netdata.service:71] Unknown lvalue 'ProtectControlGroups' in section 'Service'
Feb  1 23:20:42 testserver2 esmith::event[30867]: [INFO] service sshd restart
Feb  1 23:20:42 testserver2 systemd: Stopping OpenSSH server daemon...
Feb  1 23:20:42 testserver2 sshd[908]: Received signal 15; terminating.
Feb  1 23:20:42 testserver2 systemd: Stopped OpenSSH server daemon.
Feb  1 23:20:42 testserver2 sshd[31998]: Server listening on 0.0.0.0 port 2222.
Feb  1 23:20:42 testserver2 systemd: Starting OpenSSH server daemon...
Feb  1 23:20:42 testserver2 sshd[31998]: Server listening on :: port 2222.
Feb  1 23:20:42 testserver2 systemd: Started OpenSSH server daemon.
Feb  1 23:20:42 testserver2 esmith::event[30867]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [4.370187]
Feb  1 23:20:42 testserver2 esmith::event[30867]: Event: nethserver-sssd-save SUCCESS

`

the main difference is there
Feb 2 11:51:16 Neth248 realmd: Enter administrator@domain.local’s password:
Feb 2 11:51:16 Neth248 realmd: Failed to join domain: failed to lookup DC info for domain ‘domain.local’ over rpc: The attempted logon is invalid. This is either due to a bad username or authentication information.
Feb 2 11:51:16 Neth248 realmd: ! Joining the domain domain.local failed

after that error nethserver revert everything and the sssd service don’t want to start

oh and with the StartTLS I have see it to that you don’t have it so I tried with and without but same result

Sorry, I’m out of ideas, from the log it seems like bad credentials but you already excluded that.
Did you try to create a new admin account with a simple password on the DC for joining, maybe it’s an issue with a special char in the password?

Please also check (if not already done):

  • NethServer should just use the DC as primary DNS server
  • dc.domain.local and domain.local should be pingable from the NethServer and return the IP of the DC

ho yes, you nail it !
the admin password was to complex
cockpit join the domain and I manage to leave and join again
sadly the user web page still does not work with the same error
system-task/read

Great that the AD join worked now.

I think I could reproduce the login issue. It was not possible to login to the user settings page and I got following error in messages log:

cockpit-session: pam_listfile(cockpit:auth): Refused user markus for service cockpit

I didn’t get this one.

I did the following steps and it worked again but I’m not sure what exactly helped:

  • Unlock the user that can’t login
  • Add the user to domain admins group, login in, remove the user again from the group
  • Reboot the servers

I have try your step but it didn’t do the trick
I don’t know if its the same for you but for me no user can open the user webpage (even the admin)

then I tried for testing purpose to add my user to the sudoer with this

EDITOR=nano visudo
and add at the bottom of the file
username ALL=(ALL) NOPASSWD:ALL

and it work, I can see the page
so the problem (imho) its that the domain user dont have right to read and execute thoses files

Jan 31 15:34:45 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:46 Neth248 sudo: user@domain.local : command not allowed ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=list
Jan 31 15:34:47 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-password-policy/read
Jan 31 15:34:49 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/hints
Jan 31 15:34:52 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-task/read
Jan 31 15:34:54 Neth248 sudo: user@domain.local : user NOT in sudoers ; TTY=unknown ; PWD=/run/user/1796001315 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-settings/read

how I can give the the right to domain user to only those file/exe so its stay safe and secure

Nethserver configuration is in /etc/sudoers.d/. In 55_nsapi_perms you find the domain users/admins group.

Please also check the file /etc/sudoers, the last line should be

#includedir /etc/sudoers.d

See also Invalid credentials when logging in to admin webinterface - #32 by mrmarkuz

this is what I have in 55_nsapi_perms

10base

%locals ALL=NOPASSWD: NSAPI_PUBLIC
%domain\ users ALL=NOPASSWD: NSAPI_PUBLIC

20groups

90admins

%domain\ admins ALL=NOPASSWD: NSAPI_ADMINS, NSAPI_NETHSERVER_ANTIVIRUS, NSAPI_NETHSERVER_BLACKLIST, NSAPI_NETHSERVER_FAIL2BAN, NSAPI_NETHSERVER_FIREWA$
admin ALL=NOPASSWD: NSAPI_ADMINS, NSAPI_NETHSERVER_ANTIVIRUS, NSAPI_NETHSERVER_BLACKLIST, NSAPI_NETHSERVER_FAIL2BAN, NSAPI_NETHSERVER_FIREWALL_BASE, N$

it seems ok and yes the last line is #includedir /etc/sudoers.d
but the only way I manage to go in user webpage is if I put : username ALL=(ALL) NOPASSWD:ALL

is this all ok ?

[root@nethserver211 sudoers.d]# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/10_nethserver: parsed OK
/etc/sudoers.d/20_nethserver_backup_config: parsed OK
/etc/sudoers.d/20_nethserver_base: parsed OK
/etc/sudoers.d/20_nethserver_httpd_admin: parsed OK
/etc/sudoers.d/20_nethserver_openvpn: parsed OK
/etc/sudoers.d/20_nethserver_sssd: parsed OK
/etc/sudoers.d/20_nethserver_subscription: parsed OK
/etc/sudoers.d/20_nethserver_suricata: parsed OK
/etc/sudoers.d/30_httpd_app_launcher: parsed OK
/etc/sudoers.d/40_nethserver_restore_data: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_antivirus: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_blacklist: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_cgp: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_fail2ban: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_firewall_base: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_httpd: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_ntopng: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_restore_data: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_squid: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_suricata: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_vpn_ui: parsed OK
/etc/sudoers.d/55_nsapi_perms: parsed OK
/etc/sudoers.d/ntopng: bad permissions, should be mode 0440

I don’t think it’s an issue.

perfect I will
I have other problem with the OTP now but I will open a new topic

infinit thanks for all the help and the time I hope it can help other folks

1 Like