Cannot logon to Ubuntu server using trusted domain AD credentials

Question

I've got an AD domain joined Ubuntu 22.04 server. I need to be able to logon to it using credentials from a trusted domain that is attached to the AD domain that the server is a member of. Logon is not working using the trusted domain credentials. The following packages are installed:

winbind, krb5-user, sssd-ad, samba

The domains are domain1.org and domain2.local. domain1.org is the domain that my server is joined to, and domain2.local is the trusted domain.

I can log on using domain1.org creds, and all the following commands work:

ping domain1.org
ping domain2.local

id [email protected]
id [email protected]
wbinfo -i [email protected]
wbinfo -i [email protected]

wbinfo -n [email protected]
net cache flush
wbinfo --sid-to-uid <SID returned in the wbinfo -n command>

I am not able to logon to this Ubuntu server using domain2.local creds. I do have a Rocky Linux server that is set up pretty much the same way as this one, and I am able to logon using domain2.local creds.

Here are the samba, sssd, nsswitch, and krb5 configs:

/etc/samba/smb.conf

[global]
workgroup = DOMAIN1
realm = DOMAIN1.ORG
netbios name = MYTEST
security = ads
server signing = mandatory
client signing = mandatory
client lanman auth = no
min protocol = SMB2
client min protocol = SMB2
client max protocol = SMB3

restrict anonymous = 2
os level = 0
preferred master = no
local master = no
domain master = no

kerberos method = secrets and keytab

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template homedir = /home/%D/%U
template shell = /bin/bash

map acl inherit = yes
nt acl support = yes
inherit acls = Yes
acl group control = yes

log level = 10
max log size = 10
log file = /var/log/samba/samba.log

winbind use default domain = yes
idmap config * : range = 1100-65534
idmap config * : backend = tdb
idmap config * : backend = autorid
idmap config * : range = 1000000-999999999

/etc/sssd/conf.d/sssd.conf

[sssd]
config_file_version = 2
domains = DOMAIN1.ORG
reconnection_retries = 3
services = nss, pam, ssh, autofs

[domain/DOMAIN1.ORG]
#debug_level = 9
ad_hostname = mytest.domain1.org
id_provider = ad
auth_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
default_shell = /bin/bash
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = DOMAIN1.ORG
fallback_homedir = /home/%u/%d
ad_domain = domain1.org
use_fully_qualified_names = False
case_sensitive = False
ad_gpo_ignore_unreadable = True
dyndns_update = true
dyndns_refresh_interval = 43200
ad_update_samba_machine_account_password = True

[nss]
filter_users = root

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

/etc/nsswitch.conf

passwd:         files winbind systemd sss
group:          files winbind systemd sss
shadow:         files sss
gshadow:        files

hosts:          files resolve dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
automount:      sss

/etc/krb5.conf

[logging]
   default = FILE:/var/log/krb5.log

[libdefaults]
   default_realm = DOMAIN1.ORG
   dns_lookup_realm = true
   dns_lookup_kdc = true
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   udp_preference_limit = 1

I appreciate any and all comments and/or assistance. Thanks!

The actual error message might be helpful. – Eduardo Trápani Apr 06 '23 at 03:47 — Eduardo Trápani, Apr 06 '23 at 03:47

score 1 · Accepted Answer · edited Apr 06 '23 at 10:27

1

First of all,

apt-get purge sssd

There is no point in running both sssd and winbind, and you need winbind for the trusts.

Second, fix your smb.conf. This is wrong:

winbind use default domain = yes
idmap config * : range = 1100-65534
idmap config * : backend = tdb
idmap config * : backend = autorid
idmap config * : range = 1000000-999999999

The last two lines override the two above them and you cannot use winbind use default domain = yes with the autorid idmap backend. Remove the top three lines above and provided the required trusts are in place, it should work.

edited Apr 06 '23 at 10:27

roaima

107,089
14
139
261

answered Apr 06 '23 at 08:38

Rowland Penny

79
1

Hi and welcome to the site. I saw the comments in your original post about not being able to ask and that's odd: there is no reputation requirement for asking or answering questions. There is a minimum rep for commenting as a spam prevention measure, but not for asking/answering. As for not being able to register, that is particularly weird. Unfortunately, I can't help there (I'm a mod, but mods don't have access to login logs), could you maybe us https://unix.stackexchange.com/contact to let the admins know? Could it be getting lost as spam? – terdon Apr 07 '23 at 11:23
Thank you for the smb.conf info. It turns out that I had to install libpam-winbind and libnss-winbind, and then it started working. I also had to remove sssd, as you suggested. – Redeye Apr 08 '23 at 21:32
They are the links between Samba and nsswitch and you will not get any user or groups without them. – Rowland Penny Apr 10 '23 at 09:09

Cannot logon to Ubuntu server using trusted domain AD credentials

1 Answers1