Unable to login as a user of the joined Active Directory

[bdh1993]

Please do not report security vulnerabilities here
Use launchpad ADSys private bugs which is monitored by our security team. On ubuntu machine, it’s best to use ubuntu-bug adsys to collect relevant information.

Thank you in advance for helping us to improve ADSys!
Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use Ubuntu Discourse. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Ubuntu Code of Conduct.

Description

Unable to login as a user of the joined Active Directory

Here my error message.
sudo login > user > passwd > error

Reproduction

It is presumed that this problem occurred when ADCS(Active Drictory Certificate Service) was added, but it is not clear.
Linux OS was the same setting.
I tried setting up after reading wiki, but I couldn't solve it.

• Login Success :
• Login Error :

- same settings

Linux
1. Install package (realmd, sssd, sssd-tools, libnss-sss, libpam-sss, adcli, samba-common-bin, oddjob, oddjob-mkhomedir)
2. Join AD (sudo realm join -U $AD $Domain > Check realm list > join is OK)
3. Change /usr/share/pam-configs/mkhomedir > sudo pam-auth-update
4. sudo realm permit user@domain
5. Test login (sudo login > user@domain > passwd > login is OK)
  - Before installing the adsys.
6. Install adsys package and make /etc/adsys.yaml

Window
1. Install Window server OS
2. Make AD domain

- different settings

Window
1. AD CS, IIS

I can't login after installing the adsys package.
I think it's a problem related to the certificate.
I referred to the following link.
https://ubuntu.com/server/docs/service-sssd
My sssd setting is as follows.

My /etc/adsys.yaml is as follows.

Is there a setting that I made a mistake in?
Should id_provider be set to ldap to set the certificate?
I need help.

Environment

• ADSys version: 0.8~22.04

[rsbrux]

I have a similar problem, but the error message reads:
"Error from server: error while updating policy: can't get policies for : requested a type computer of which isn't current host ."
This despite the fact that "hostname", "hostname -f" and "hostnamectl status" all deliver the FQDN. Where else can adsys be looking for ?
Please see this post on askUbuntu for further details.

[GabrielNagy]

@bdh1993 thank you for opening this issue. I tried to reproduce it by installing AD CS as well but I was still able to log in after this.

Can you share the output of sssctl user-checks aduser01@dx.ad and sssctl domain-status?

Additionally as this seems to be an issue with getting the GPOs via samba you can try the following:

1. Add a line with log level = 10 in /etc/samba/smb.conf
2. Run adsysctl policy debug gpolist-script to generate an adsys-gpolist file in the current directory for debugging
3. Run ./adsys-gpolist --objectclass user ldap://dx-ad-01.dx.ad aduser01@dx.ad and paste the output here

---

@rsbrux I've taken a look over your issue and concluded it's a different one than the one exhibited in this report. Judging by your askubuntu post, the problem stems from the fact that hostname returns a FQDN instead of a regular hostname. As stated in the documentation you linked to:

hostname and hostname -f must return the name of the machine (“ad-desktop-1”) and the full name of the machine with the domain (“ad-desktop-1.warthogs.biz”) respectively

So the hostname must not be the same as the fqdn. Feel free to open a separate bug to track this, as it's a different issue.

[jibel]

I'm closing this report do to the lack of feedback from the OP. Feel free to reopen if it is still an issue for you.