SSSD with AD - No such user

Issues related to applications and software problems
Post Reply
cqc0988
Posts: 1
Joined: 2015/11/30 21:30:09

SSSD with AD - No such user

Post by cqc0988 » 2015/11/30 21:44:29

Dear all,

I am new with SSSD and like to use it to authenticate Windows AD users on our Linux (CentOS 7) machine. After joining the Linux to the Windows Active Directory by using "realm join mydomain -U domainadminuser" successfully, I am able to see the computer account built in AD.

Difficulties:
Experiencing some difficulties with the user identification. After joining the domain successfully, on Linux machine, I was trying to use the command “id” to identify the domain users but failed. And of course, it won’t let me to “ssh” into the system against the AD accounts. Please help

BTW, from Linux, it can ping / find DC and I have tried to disable the firewalld on the linux to ensure there is no blocking issue from the linux end, but no luck.

# id domainuser@mydomain
id: domainuser@mydomain: no such user

Here this the output from "realm list"

[tigeruser@linux etc]# sudo realm list
mydomain
type: kerberos
realm-name: MYDOMAIN
domain-name: mydomain
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U@mydomain
login-policy: allow-realm-logins

t3kg33k
Posts: 24
Joined: 2016/02/26 19:45:27

Re: SSSD with AD - No such user

Post by t3kg33k » 2016/05/19 12:39:29

I'm having the same issue.
Anyone know how to fix this?

ephos
Posts: 1
Joined: 2016/05/23 14:43:25

Re: SSSD with AD - No such user

Post by ephos » 2016/05/23 14:47:26

I am also having this issue.

saerom
Posts: 1
Joined: 2016/05/27 11:14:32

Re: SSSD with AD - No such user

Post by saerom » 2016/05/27 11:24:38

Also having this problem. When setting ldap_id_mapping = True, no problem to lookup users with "id" or "getent". But we need to use the POSIX attributes in AD...

hema.arun
Posts: 21
Joined: 2017/02/06 11:56:26

Re: SSSD with AD - No such user

Post by hema.arun » 2019/12/31 11:46:01

Remove all custom values in /etc/krb5.conf.
Restart sssd service and this resolved my same issue.
Now I am getting AD user list.

idiot
Posts: 4
Joined: 2022/01/29 12:42:30

Re: SSSD with AD - No such user

Post by idiot » 2022/01/29 16:58:32

@hema.arun, I am also facing the same issue.

It will be great if you could share the details of the files.

Maryam_Trend
Posts: 1
Joined: 2022/04/11 23:01:57

Re: SSSD with AD - No such user

Post by Maryam_Trend » 2022/04/11 23:04:33

1. First you create two users called adusera and aduserb in Windows 2019 AD

2. Login as root and edit SSSD (System Security Services Daemon) configuration as follows so that you could login to an AD user accounts without domain name. (eg: login as adusera instead of adusera@adatum.com).
Use the gedit text editor in GNOME desktop
[root@fedora ~]# gedit /etc/sssd/sssd.conf
Go to the line 16
Change the line to
use_fully_qualified_names = False

3. Restart the SSSD
[root@fedora ~]# systemctl restart sssd

derokk
Posts: 5
Joined: 2022/08/16 17:44:27

Re: SSSD with AD - No such user

Post by derokk » 2022/08/17 18:24:33

Hello I will share you here my config files for SSSD and it works very well:

/etc/sssd/sssd.conf
[sssd]
domains = MY_AD.DOMAIN.COM
config_file_version = 2
services = nss, pam

[domain/intranet.hybride.com]
ad_domain = MY_AD.DOMAIN.COM
krb5_realm = MY_AD.DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
ldap_idmap_autorid_compat = True

/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}

default_realm = MY_AD.DOMAIN.COM
[realms]
MY_AD.DOMAIN.COM = {
kdc = DomainController.my_ad.domain.com
kpasswd_server = DomainController.my_ad.domain.com
admin_server = DomainController.my_ad.domain.com
default_domain = MY_AD.DOMAIN.COM
}

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
my_ad.domain.com = MY_AD.DOMAIN.COM
.my_ad.domain.com = MY_AD.DOMAIN.COM

Remember your sssd.conf file must be 600

Restart your service sssd and take a cookie :)

Cheers!

Post Reply