[FIX] Domains are not found after joining Ubuntu 22.04 to Active Directory using SSSD

Question

Since Ubuntu 20.04 we are using SSSD and realmd to join these server to one of our Active Directory domains. This works (almost) out-of-the-box.

For Ubuntu 22.04, however, we run into issues. And I am out of possible solutions, hence my question.

Our organization has 1 AD Forest.
In this Forest, we have a domain called “example.local“.
This domain has a few child domains, “prod.example.local“, “users.example.local“, “acc.example.local“.
users.example.local” has a child domain called “dev.users.example.local“.
This domain has a shortcut trust to “prod.example.local” (important to remember).

When a server is joined to the domain “dev.users.example.local“, users (from any domain in the Forest) should be able to login to the server.

This works as expected on Ubuntu 20.04 (using SSSD version 2.2.3). On Ubuntu 22.04 only users from the joined domain (dev.users.example.local) and from domains with a shortcut trust are found and are able to login to the server.

Using sssctl we tried to debug this issue.

Running sssctl domain-list

Returned result:

  • dev.users.example.local
  • prod.example.local

Expected result:

  • dev.users.example.local
  • users.example.local
  • example.local
  • prod.example.local
  • acc.example.local

SSSD Version:

  • Ubuntu 22.04: 2.6.3
  • Ubuntu 20.04: 2.2.3

This is our configuration for SSSD (which works as expected for Ubuntu 20.04):

[sssd]
domains = dev.users.example.local
config_file_version = 2
services = nss, pam

debug_level = 9

[domain/dev.users.example.local]
# Offline logins
# cache_credentials = true

# Providers
id_provider = ad
auth_provider = ad
access_provider = simple

# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
# ldap_id_mapping = False

# Uncomment if the trusted domains are not reachable
# ad_enabled_domains = ad.example.com

# Set default shell and override AD Home directory
default_shell = /bin/bash
override_homedir = /home/%d/%u

# Comment out if you prefer to use shortnames.
use_fully_qualified_names = True

# AD Specific settings
# ad_use_ldaps = True

debug_level = 9

[nss]
debug_level = 9

[pam]
debug_level = 9

PAM configuration: /etc/pam.d/sshd

# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close

# Set the loginuid process attribute.
session    required     pam_loginuid.so

# Create a new session keyring.
session    optional     pam_keyinit.so force revoke

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

# add to the end (create Home Dir automatically when initial login)
session optional        pam_mkhomedir.so skel=/etc/skel umask=077

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open

# Standard Un*x password updating.
@include common-password

Using realmd we permit certain AD Groups to log into the server.

I tried installing a new (and old 2.2.3) version of SSSD on Ubuntu 22.04, but I was unable to do this.

How can we make this work without changing our Active Directory?
What are we doing wrong with this configuration?

Click Here to see answer

0
payam 2 weeks 2022-09-20T09:47:40+00:00 0 Answers 9 views

Leave an answer

By answering, you agree to the Terms of Service and Privacy Policy.