Skip to main content

Joining an endpoint to Active Directory

With Active Directory, each user is set up as a unique object in a central database, and only one set of credentials is used for that user. A separate object is also made for each computer system. With the same set of credentials, every user can automatically get into every workstation. Any changes to an account are made only once at the central database. Using groups and organizational units, access to different resources can be set up and kept up to date.

This section provides guidance on how to join Linux and macOS systems to Active Directory.

Note

For Linux endpoints, make sure to first check the pre-requisites page before starting the Active Directory joining process.

If you encounter any issues refer to the Troubleshooting section for further details.

Linux

Pre-requisites for joining Linux systems to Active Directory

To join a Linux computer to an Active Directory (AD) domain, there are a few prerequisites that must be met.

The following section details the necessary prerequisites.

Example:

Realm: example.local
Domain User: administrator
Domain IP: 11.11.11.11
  1. The date and time must be the same as the one in Active Directory.

    Make sure the Computer is in sync with the Active Directory. Many authenticating errors appear due to time differences.

  2. The VM must use the Active Directory server as DNS.

    You can change the DNS settings from Applications > Network > Options > IPv4 Settings.

    Method: Automatic (DHCP) address only

    Automatic: OFF

    DNS servers: 11.11.11.11

    DNS: 11.11.11.11

    AD_join_procedure_prerequisites_image_1_en.png
    AD_join_procedure_prerequisites_image_2_en.png

    Note

    Alternatively you can add the following lines to /etc/resolv.conf:

    search example.local
    
    nameserver 11.11.11.11
  3. Make sure the ports used by Active Directory & Kerberos are open through the network and firewalls. You can find the necessary ports in the below table:

    Port

    Direction

    Destination

    Description

    22, 445 (SSH & SMB)

    OUTGOING

    Any

    Detects computers in the local network

    135 (RPC)

    INCOMING

    Any

    Deployment through Relay Agent

    137, 138, 139 (NetBIOS)

    INCOMING

    Any

    Deployment through Relay Agent

    53 (DNS)

    OUTGOING

    DNS Server

    Internal use for DNS queries

    88 (Kerberos)

    OUTGOING

    Active Directory Domain Controller

    Active Directory integration for Linux computers

    389, 636 (LDAP & LDAPS)

    OUTGOING

    Active Directory Domain Controller

    Active Directory integration

  4. Make sure that the OS hostname is unique and has maximum 15 characters.

    • Change the hostname by running the following command:

      # hostnamectl set-hostname <NAME>
    • Delete the old name from /etc/hostname and replace with the new one.

      Note

      On CentOS 6 you need to replace the old HOSTNAME value with the new one:

      # vi /etc/sysconfig/network
      NETWORKING=yes
      HOSTNAME=<NAME>
    • Reboot the computer

      Note

      The endpoint's hostname must not contain the FQDN part.

  5. Disable Selinux.

    Change the value of SELINUX variable in configuration file: /etc/selinux/config to disable it.

    SELINUX=disabled
  6. Modify /etc/nsswitch.conf file.

    Change the search order in hosts database by adding dns after files:

    hosts:          files dns mdns4_minimal [NOTFOUND=return]

Joining a Linux endpoint to Active Directory using PBIS

To join a Linux endpoint to an Active Directory (AD) domain using PBIS you need to follow the steps described below and also comply with the General Prerequisites.

Example:

Realm: example.local
Domain User: administrator
Domain IP: 11.11.11.11

Important

Some OSs (Fedora31, CentOS8) require to have the libsnsl package installed.

How to Install PBIS-Open offline

  1. Download the latest .sh file from here and execute the following commands:

    • For Ubuntu, Debian.

      • For x64

        # wget https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.deb.sh
        # chmod +x pbis-open-9.1.0.551.linux.x86_64.deb.sh
        # sudo ./pbis-open-9.1.0.551.linux.x86_64.deb.sh
        # apt-get install ssh
        # sudo apt-get remove avahi-daemon 
      • For x86

        # wget https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86.deb.sh
        # chmod +x pbis-open-9.1.0.551.linux.x86.deb.sh
        # sudo ./pbis-open-9.1.0.551.linux.x86.deb.sh
        # apt-get install ssh
        # sudo apt-get remove avahi-daemon
    • For CentOS, Fedora, OracleLinux7, RHEL, SUSE.

      • For x64

        # wget https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.rpm.sh
        # chmod +x pbis-open-9.1.0.551.linux.x86_64.rpm.sh
        # sudo ./pbis-open-9.1.0.551.linux.x86_64.rpm.sh 
      • For x86

        # wget https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86.rpm.sh
        # chmod +x pbis-open-9.1.0.551.linux.x86.rpm.sh
        # sudo ./pbis-open-9.1.0.551.linux.x86.rpm.sh
  2. Join the Active Directory domain.

    # cd /opt/pbis/bin/
    # sudo domainjoin-cli join example.local administrator

    Note

    Verify the output of ./pbis-open*.sh and check for possible errors.

  3. Check domain connectivity.

    # sudo domainjoin-cli query
    

Joining a Linux endpoint to Active Directory using SSSD

This section covers instructions for the following operating systems:

Joining a Linux endpoint to Active Directory using SSSD for CentOS6

To join a Linux endpoint to an Active Directory (AD) domain using SSSD you need to follow the steps described below and also comply with the General Prerequisites.

Example:

Realm: example.local
Domain User: administrator
Domain IP: 11.11.11.11
  1. To successfully join CentOS6 to an Active Directory you need to install the necessary packages:

    # yum install adcli krb5-workstation sssd pam_krb5 
  2. Change the authentication provider by running the following command:

    # authconfig \
     --enablekrb5 \
     --krb5kdc=example.local \
     --krb5adminserver=example.local \
     --krb5realm=EXAMPLE.LOCAL \
     --enablesssd \
     --enablesssdauth \
     --update
  3. Join the Active Directory by running the following command:

    adcli join example.local -v
  4. Configure the sssd.conf by creating a backup of the old /etc/sssd/sssd.conf and override its contents with:

    [sssd]
    domains = example.local
    config_file_version = 2
    services = nss, pam
     
    [domain/example.local]
    ad_domain = example.local
    krb5_realm = EXAMPLE.LOCAL
    realmd_tags = manages-system joined-with-samba
    cache_credentials = True                                         
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash                            
    ldap_id_mapping = True
    use_fully_qualified_names = False
    fallback_homedir = /home/%d/%u
    access_provider = ad

    Set the file permissions to 600.

    # chmod 600 /etc/sssd/sssd.conf
    
    # service sssd start
    
    # chkconfig sssd on
  5. Configure the krb5.conf file by creating a backup of the old /etc/krb5.conf and override its content with:

    [libdefaults]
        default_realm = EXAMPLE.LOCAL
        dns_lookup_kdc = true
        forwardable = true
        default_ccache_name = FILE:/tmp/krb5cc_%{uid}
    [realms]
        EXAMPLE.LOCAL = {
            admin_server = EXAMPLE.LOCAL
            #kdc = dc1.EXAMPLE.LOCAL
            #kdc = dc2.EXAMPLE.LOCAL
        }
    [logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
    [domain_realm]
        .EXAMPLE.LOCAL = EXAMPLE.LOCAL
        EXAMPLE.LOCAL = EXAMPLE.LOCAL
  6. Check the domain connectivity and make sure that everything works by running the following commands:

    # dig -t SRV _ldap._tcp.example.local
    # dig -t SRV _ldap._tcp.dc._msdcs.example.local 
    # adcli info example.local
    
    # id administrator  
    

Joining a Linux endpoint to Active Directory using SSSD for CentOS7/8, Fedora31, RHEL7/8, OracleLinux7

To join a Linux endpoint to an Active Directory (AD) domain using SSSD you need to follow the steps described below and also comply with the General Prerequisites.

Example:

Realm: example.local
Domain User: administrator
Domain IP:   11.11.11.11
  1. Install the necessary packages:

    • Centos7/8, Fedora31 and RHEL8 require the following packages:

      # yum install adcli krb5-workstation realmd sssd  
    • Oracle Linux7 and RHEL7 require the following packages:

      # yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
  2. Join the Active Directory domain by running the following command.

    # realm join example.local -U administrator 
  3. Check the domain connectivity by running the following commands.

    # dig -t SRV _ldap._tcp.example.local
    # dig -t SRV _ldap._tcp.dc._msdcs.example.local
    # realm discover example.local
    # realm list

Joining a Linux endpoint to Active Directory using SSSD for Ubuntu, Debian

To join a Linux endpoint to an Active Directory (AD) domain using SSSD you need to follow the steps described below and also comply with the General Prerequisites.

Example:

Realm: example.local
Domain User: administrator
Domain IP: 11.11.11.11
  1. Install the necessary packages.

    # sudo apt install sssd-ad sssd-tools realmd adcli

    Note

    For Ubuntu14 you'll need to install an additional package.

    # sudo apt-get install packagekit
  2. Join the Active Directory domain by running the following command.

    # sudo realm -v join example.local
  3. Check the domain connectivity by running the following commands.

    # dig -t SRV _ldap._tcp.example.local 
    
    # dig -t SRV _ldap._tcp.dc._msdcs.example.local 
    
    # sudo realm -v discover example.local 
    
    # realm list 

Joining a Linux endpoint to Active Directory using SSSD for SUSE Linux Enterprise 12, 15

To join a Linux endpoint to an Active Directory (AD) domain using SSSD for SUSE you need to follow the steps described below and also comply with the General Prerequisites.

Example:

Realm: example.local
Domain User: administrator
Domain IP:   11.11.11.11
  1. Install the necessary packages.

    • Install krb5-client .

      # zypper in krb5-client
      
    • Install the following packages.

      # zypper in adcli sssd sssd-ldap sssd-ad sssd-tools 
  2. Make a backup of the old /etc/krb5.conf and override its content with:

    [libdefaults]
        default_realm = EXAMPLE.LOCAL
        dns_lookup_kdc = true
        forwardable = true
        default_ccache_name = FILE:/tmp/krb5cc_%{uid}
    [realms]
        EXAMPLE.LOCAL = {
            admin_server = EXAMPLE.LOCAL
            #kdc = dc1.EXAMPLE.LOCAL
            #kdc = dc2.EXAMPLE.LOCAL
        }
    [logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
    [domain_realm]
        .EXAMPLE.LOCAL = EXAMPLE.LOCAL
        EXAMPLE.LOCAL = EXAMPLE.LOCAL
  3. Configure the sssd.conf file by making a backup of the old /etc/sssd/sssd.conf and override its content with:

    [sssd]
    config_file_version = 2
    services = nss,pam
    domains = example.local
     
    [nss]
    filter_users = root
    filter_groups = root
     
    [pam]
     
    [domain/example.local]
    id_provider = ad
    auth_provider = ad
    ad_domain = example.local
    cache_credentials = true
    enumerate = false
    override_homedir = /home/%d/%u
    ldap_id_mapping = true
    ldap_referrals = false
    ldap_schema = ad

    Set the permissions of the file to 600.

    # chmod 600 /etc/sssd/sssd.conf
  4. Configure nsswitch.conf file

    passwd:     compat sss
    group:        compat sss
  5. Join the Active Directory domain by running the following command:

    # adcli join -D example.local
    
  6. Enable and start the sssd daemon.

    # systemctl enable sssd
    # systemctl start sssd
  7. Configure LDAP client

    • Install the necessary packages.

      # zypper in openldap2-client cyrus-sasl-gssapi
    • Add the following lines to /etc/openldap/ldap.conf.

      URI ldap://example.local
      BASE dc=example,dc=local
      REFERRALS OFF
  8. Check the domain connectivity by running the following commands:

    # ldapsearch -Y GSSAPI cn=Administrator
    # adcli info example.local
    # id administrator
    # getent passwd administrator

Joining a Linux endpoint to Active Directory using Winbind

This section covers instructions for the following operating systems:

Joining a Linux endpoint to Active Directory using Winbind on CentOS6, RHEL7

To join a Linux endpoint to an Active Directory (AD) domain using Winbind you need to follow the steps described below and also comply with the General Prerequisites.

Example:

Realm: example.local
Domain User: administrator
Domain IP:   11.11.11.11
  1. Install the necessary packages.

    # yum -y install samba4-winbind samba4-winbind-clients pam_krb5 krb5-libs
  2. Change the authentication provider by running the following command:

    # authconfig \
     --enablekrb5 \
     --krb5kdc=example.local \
     --krb5adminserver=example.local \
     --krb5realm=EXAMPLE.LOCAL \
     --enablewinbind \
     --enablewinbindauth \
     --smbsecurity=ads \
     --smbrealm=EXAMPLE.LOCAL \
     --smbservers=example.local \
     --smbworkgroup=example\
     --winbindtemplatehomedir=/home/%U \
     --winbindtemplateshell=/bin/bash \
     --enablemkhomedir \
     --enablewinbindusedefaultdomain \
     --update
  3. Configure nsswitch.conf file by enabling the parameters in /etc/nsswitch.conf file:

    passwd: compat winbind
    group: compat winbind
  4. Join the Active Directory domain.

    • Create a Kerberos keytab file:

      # sudo net ads keytab create -U administrator 
      
    • Start Winbind service

      # service winbind start
      # chkconfig winbind on
    • Run the following command

      #  net ads join -U administrator -v
      Enter administrator's password:
      Using short domain name -- EXAMPLE
      Joined 'Ubuntu20-VM' to dns domain 'example.local'
      No DNS domain configured for Ubuntu20-VM. Unable to perform DNS Update.
      DNS update failed!

      Important

      Even if the above message mentions that the DNS update has failed, please note that DNS was correctly updated and you should ignore this error message.

    1. Check the domain connectivity by running the following command:

      # wbinfo -u

      Joining a Linux endpoint to Active Directory using Winbind for CentOS7/8,Fedora31,RHEL8,OracleLinux7

      To join a Linux endpoint to an Active Directory (AD) domain using Winbind you need to follow the steps described below and also comply with the General Prerequisites.

      Example:

      Realm: example.local
      Domain User: administrator
      Domain IP:   11.11.11.11
      1. Install the necessary packages.

        # yum install samba samba-client samba-winbind samba-winbind-client
        
      2. Configure the smb.conf file.

        Make a backup of the old /etc/samba/smb.conf and override it's content with:

        [global]
                workgroup = EXAMPLE
                realm = EXAMPLE.LOCAL
                security = ads
                idmap config * : backend = autorid
                idmap config * : range = 100000-19999999
                idmap config * : rangesize = 1000000
                template homedir = /home/%D/%U
                template shell = /bin/bash
                winbind use default domain = false
                winbind offline logon = true
                log file = /var/log/samba/log.%m
                max log size = 50
                log level = 0 
                kerberos method = secrets and keytab
      3. Join the Active Directory domain.

        • Create a Kerberos krb5.keytab file:

          # sudo net ads keytab create -U administrator
          
        • Enable the Winbind service.

          # systemctl enable winbind --now
        • Run the following command.

          #  net ads join -U Administrator --no-dns-updates example.local
      4. Check the domain connectivity by running the following commands.

        # host -t SRV _kerberos._udp.example.local
        
        # host -t SRV _kerberos._tcp.example.local
        
        # testparm
        
        # wbinfo -u
        
        # wbinfo -g

      Joining a Linux endpoint to Active Directory using Winbind for SUSE Linux Enterprise 12,15

      To join a Linux endpoint to an Active Directory (AD) domain using Winbind for SUSE you need to follow the steps described below and also comply with the General Prerequisites.

      Example:

      Realm: example.local
      Domain User: administrator
      Domain IP:   11.11.11.11
      1. Install the necessary packages.

        • Install krb5 client.

          # zypper in krb5-client
      2. Configure the Kerberos client.

        Make a backup of the old  /etc/krb5.conf and override its content with:

        [libdefaults]
            default_realm = EXAMPLE.LOCAL
            dns_lookup_kdc = true
            forwardable = true
            default_ccache_name = FILE:/tmp/krb5cc_%{uid}
        [realms]
            EXAMPLE.LOCAL = {
                admin_server = EXAMPLE.LOCAL
                #kdc = dc1.EXAMPLE.LOCAL
                #kdc = dc2.EXAMPLE.LOCAL
            }
        [logging]
            kdc = FILE:/var/log/krb5/krb5kdc.log
            admin_server = FILE:/var/log/krb5/kadmind.log
            default = SYSLOG:NOTICE:DAEMON
        [domain_realm]
            .EXAMPLE.LOCAL = EXAMPLE.LOCAL
            EXAMPLE.LOCAL = EXAMPLE.LOCAL
      3. Install the following packages:

        # zypper in samba-client samba-libs samba-winbind  
      4. Configure the smb.conf file.

        • Make a backup of the old /etc/samba/smb.conf and override its content with:

          [global]
              workgroup = EXAMPLE
              kerberos method = secrets and keytab
              realm = EXAMPLE.LOCAL
              security = ADS
           
              winbind refresh tickets = yes
              winbind use default domain = yes
              template shell = /bin/bash
              template homedir = /home/%D/%U
           
              idmap config * : backend = tdb
              idmap config * : range = 10000-19999
              idmap config EXAMPLE: backend = rid
              idmap config EXAMPLE: range = 20000-29999  
        • Set the permissions of the file to 600.

          # chmod 600 /etc/samba/smb.conf
      5. Configure the nsswitch.conf file.

        Enable parameters in /etc/nsswitch.conf file:

        passwd: compat winbind
        group: compat winbind
      6. Establish connection with Kerberos by running the following command.

        # kinit Administrator
        
      7. Join the Active Directory domain by running the following command.

        #net ads join -U Administrator
        
      8. Enable and start the Winbind daemon by running the following commands.

        # systemctl enable winbind
        # systemctl start winbind
      9. Configure LDAP client.

        • Install the necessary packages.

           zypper in openldap2-client cyrus-sasl-gssapi
          
        • Add the following lines to /etc/openldap/ldap.conf.

          URI ldap://example.local
          BASE dc=example,dc=local
          REFERRALS OFF
      10. Check the domain connectivity by running the following commands.

        # ldapsearch -Y GSSAPI cn=Administrator
        
        # net ads info
        
        # id administrator
        
        # getent passwd administrator

      Joining a Linux endpoint to Active Directory using Winbind for Ubuntu, Debian

      To join a Linux endpoint to an Active Directory (AD) domain using Winbind you need to follow the steps described below and also comply with the General Prerequisites.

      Example:

      Realm: example.local
      Domain User: administrator
      Domain IP:   11.11.11.11
      1. Install the following packages.

        # sudo apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

        Enter the domain name using only capital letters:

        join_activedirectory_ubuntu_debian_kerberos_auth_en.png

        Leave blank the Kerberos server for your realm.

        join_activedirectory_ubuntu_debian_configuring_kerberos_auth_en.png

        Leave blank the administrative server for your Kerberos realm.

        join_activedirectory_ubuntu_debian_configuring_kerberos_auth_2en.png
      2. Configure PAM by running the following command and enable “Create home directory on login”.

        # sudo pam-auth-update
        
        join_activedirectory_ubuntu_debian_pam_auth_en.png

        Important

        This command is not applicable for Debian and Ubuntu14.

      3. Configure nsswitch.conf file and enable parameters in /etc/nsswitch.conf file.

        passwd:     compat winbind
        group:        compat winbind
      4. Configure the smb.conf file.

        • Make a backup of the old /etc/samba/smb.conf and override it's content with:

          [global]
          
          workgroup = EXAMPLE
          security = ads
          realm = EXAMPLE.LOCAL
          encrypt passwords = yes
          winbind use default domain = yes
          winbind refresh tickets = true
          template homedir = /home/%D/%U
          template shell = /bin/bash
          kerberos method = secrets and keytab
        • Restart samba service.

          # systemctl restart smbd.service
          
      5. Configure krb5.conf file. Make a backup of the old /etc/krb5.conf and override it's content with:

        [libdefaults]
               default_realm = EXAMPLE.LOCAL
               dns_lookup_realm = true
               dns_lookup_kdc = true
               dns_fallback = yes
        [realms]
               EXAMPLE.LOCAL = {
                     kdc = example.local
                     default_domain = example.local
               }
        [domain_realm]
               .EXAMPLE.LOCAL = EXAMPLE.LOCAL
               EXAMPLE.LOCAL = EXAMPLE.LOCAL
      6. Join the Active Directory domain.

        • Initiate a Kerberos ticket and verify it.

          # sudo kinit administrator
          
        • Create a Kerberos keytab file.

          # sudo net ads keytab create -U administrator
          
        • Join the computer to Active Directory:

          # sudo net ads join -U administrator
          
        • Restart samba service.

          # systemctl restart smbd.service
          
      7. Check the domain connectivity by running the following commands:

        # wbinfo -u
        
        # wbinfo -g
        
        # getent passwd
        
        # getent group
        
        # wbinfo -i administrator
        

      Note

      DNS update failed: NT_STATUS_INVALID_PARAMETER is not an error.

      The computer joined the Active Directory successfully.

      Troubleshooting

      This section covers instructions for the following:

      Troubleshooting the PBIS Active Directory Domain Join Procedure

      This section contains a list of errors that might be encountered during the PBIS Active Directory domain join procedure.

      Example:

      Realm: example.local
      Domain User: administrator
      Domain IP: 11.11.11.11
      Error: ERROR_GEN_FAILURE [code 0x0000001f]

      The domainjoin-cli command may fail due to the presence of avahi-daemon package.

      # domainjoin-cli join example.local administrator
      Joining to AD Domain:   example.local
      With Computer DNS Name: user.example.local
      
      [email protected]'s password:
      
      Error: ERROR_GEN_FAILURE [code 0x0000001f]
      Resolution
      • Remove the avahi-daemon package

        # sudo apt-get remove avahi-daemon
      Error: Invalid hostname [code 0x000004ba]

      The domainjoin-cli command may fail due to incorrect configuration of the hostname.

      # cd /opt/pbis/bin/
      # sudo domainjoin-cli join example.local administrator
      Error: Invalid hostname [code 0x000004ba]
      The hostname may not be 'linux' or 'localhost'.
      Resolution
      • Change the hostname by running the following command:

        # hostnamectl set-hostname <NAME>
      • Delete the old name from /etc/hostname and replace with the new one.

      • Replace any occurrence of the endpoint name from /etc/hosts.

      • Reboot the endpoint.

      Error: Module not configured [code 0x000003eb]

      The domainjoin-cli command may fail due to incorrect configuration of the hostname.

      # cd /opt/pbis/bin/
      # sudo domainjoin-cli join example.local administrator
      Joining to AD Domain:   example.local
      With Computer DNS Name: bdvm-c6x64.example.local
       
      [email protected]'s password:
       
      Error: Module not configured [code 0x000003eb]
       
      Even though the configuration of 'hostname' was executed, the configuration is not complete. Please
      contact support.
      Resolution
      • Change the hostname by running the following command:

        # hostnamectl set-hostname <NAME>
      • Delete the old name from etc/hostname and replace with the new one.

      • Replace any occurrence of the endpoint name from /etc/hosts.

      • Reboot the endpoint.

      Error: BeyondTrust AD Bridge Open requires library libnsl.so.1; please install libnsl.so.1 before installing AD Bridge.

      Executing the .sh file may fail due to missing libnsl.so.1  library.

      # ./pbis-open-9.1.0.551.linux.x86_64.rpm.sh
      Creating directory pbis-open-9.1.0.551.linux.x86_64.rpm
      Verifying archive integrity... All good.
      Uncompressing pbis-open-9.1.0.551.linux.x86_64.rpm..........
      Installing packages and old packages will be removed
      warning: /home/pbis-open-9.1.0.551.linux.x86_64.rpm/./packages/pbis-open-upgrade-9.1.0-551.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY
      Verifying...                          ################################# [100%]
      Preparing...                          ################################# [100%]
      Updating / installing...
         1:pbis-open-upgrade-9.1.0-551      ################################# [100%]
      warning: /home/pbis-open-9.1.0.551.linux.x86_64.rpm/./packages/pbis-open-9.1.0-551.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c9ceecef: NOKEY
      Verifying...                          ################################# [100%]
      Preparing...                          ################################# [100%]
      BeyondTrust AD Bridge Open requires library libnsl.so.1; please install libnsl.so.1 before installing AD Bridge.
       
      error: %prein(pbis-open-9.1.0-551.x86_64) scriptlet failed, exit status 1
      error: pbis-open-9.1.0-551.x86_64: install failed
      Error installing /home/pbis-open-9.1.0.551.linux.x86_64.rpm/./packages/pbis-open-9.1.0-551.x86_64.rpm
      The install has not completed. Correct any errors and reinstall by running /home/pbis-open-9.1.0.551.linux.x86_64.rpm/install.sh install
      Resolution
      • Install libnsl package

        #  yum install libnsl
      Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist

      Cannot install package due to internal mirrorlist.

      # yum install libnsl
      CentOS Linux 8 - AppStream                                             118  B/s |  38  B     00:00
      Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist
      [root@bdvm-c8x64 home]# yum install libnsl
      CentOS Linux 8 - AppStream                                             512  B/s |  38  B     00:00
      Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist
      [root@bdvm-c8x64 home]# yum update
      CentOS Linux 8 - AppStream                                             437  B/s |  38  B     00:00
      Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist
      Resolution
      • Run the following commands:

        # cd /etc/yum.repos.d/
        # sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
        # sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
        # yum update -y
      • Re-install the package

      Error: Received error while querying lwsmd. [code 0x00000002]

      Cannot join to domain due to error code 0x00000002.

      # sudo domainjoin-cli join example.local administrator
       
      Error: Received error while querying lwsmd. [code 0x00000002]
      Received error while querying lwsmd.
      Resolution
      • Check the output of pbis-open*.sh file for mentions related to SELinux.

        # ./pbis-open-9.1.0.551.linux.x86_64.rpm.sh
        Creating directory pbis-open-9.1.0.551.linux.x86_64.rpm
        Verifying archive integrity... All good.
        Uncompressing pbis-open-9.1.0.551.linux.x86_64.rpm..........
        Installing packages and old packages will be removed
        ...
        SELinux Mode: Enforcing
         
        An appropriate SELinux policy [/opt/pbis/share/rhel/unknown/pbis.pp] was not included in this package. You may provide a policy at /opt/pbis/share/pbis.pp
         
        SELinux found to be present, enabled, and enforcing. You may either provide a policy at /opt/pbis/share/pbis.pp --OR-- SELinux must be disabled or set to permissive mode by editing the file /etc/selinux/config and rebooting. For instructions on how to edit the file to disable SELinux, see the SELinux man page.
         
        BeyondTrust AD Bridge will not install without an appropriate policy for SELinux.
         
        warning: %post(pbis-open-9.1.0-551.x86_64) scriptlet failed, exit status 1
         
        ...
      • Check the SELinux status by running the following command:

        # sestatus
        SELinux status:                 enabled
        SELinuxfs mount:                /sys/fs/selinux
        SELinux root directory:         /etc/selinux
        Loaded policy name:             targeted
        Current mode:                   enforcing
        Mode from config file:          enforcing
        Policy MLS status:              enabled
        Policy deny_unknown status:     allowed
        Memory protection checking:     actual (secure)
        Max kernel policy version:      31
      • Change the value of SELINUX variable in configuration file /etc/selinux/config to disable it.

        SELINUX=disabled
      • Re-run the pbis-open*.sh command.

        Error: ERROR_BAD_COMMAND [code 0x00000016]

        This is not an error, the endpoint was joined successfully.

        # /opt/pbis/bin/domainjoin-cli join example.local administrator
        Joining to AD Domain:   example.local
        With Computer DNS Name: bdvm-c8x64.example.local
         
        [email protected]'s password:
        Warning: A resumable error occurred while processing the 'hostname' module
        ERROR_BAD_COMMAND [code 0x00000016]
         
         
         
        Warning: System restart required
        Your system has been configured to authenticate to Active Directory for the first time.  It is
        recommended that you restart your system to ensure that all applications recognize the new settings.
         
        SUCCESS
        Error: DNS_ERROR_BAD_PACKET [code 0x0000251e]
        # /opt/pbis/bin/domainjoin-cli join example.local administrator
        Joining to AD Domain:   example.local
        With Computer DNS Name: o7x64tl.example.local
         
        [email protected]'s password:
        Error: DNS_ERROR_BAD_PACKET [code 0x0000251e]
        A bad packet was received from a DNS server. Potentially the requested address does not exist.
        
        Resolution
        • Check if DC responds to ping.

          # ping example.local
        • Check if DNS of Computer is set to IP of the Domain Controller.

        • Check if the search order for hosts database is files, then dns in /etc/nsswitch.conf.

        • Add to /etc/resolv.conf.

          search example.local
          nameserver 11.11.11.11

        Troubleshooting the Domain Join Procedure for SSSD

        This section contains a list of errors that might be encountered during the SSSD Active Directory domain join procedure.

        Example:

        Realm: example.local
        Domain User: administrator
        Domain IP: 11.11.11.11
        Error: Failed to join domain: failed to lookup DC info for domain 'example.local' over rpc: The attempted logon is invalid. This is either due to a bad username or authentication information.

        The error code appears due to incorrect user or password.

        # realm join example.local -U administrator -v
         * Resolving: _ldap._tcp.example.local
         * Performing LDAP DSE lookup on: 11.11.11.11
         * Successfully discovered: example.local
        Password for administrator:
         * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
         * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.0HT7S1 -U administrator ads join example.local
        Enter administrator's password:
        Failed to join domain: failed to lookup DC info for domain 'example.local' over rpc: The attempted logon is invalid. This is either due to a bad username or authentication information.
         ! Joining the domain example.local failed
        realm: Couldn't join realm: Joining the domain example.local failed
        Resolution
        • Re-run the command and enter the correct credentials.

        Error: ! Failed to enroll machine in realm: GDBus.Error:org.freedesktop.systemd1.UnitMasked: Unit is masked.

        The error code appears due to missing packages.

        # realm join example.local -U administrator -v
         * Resolving: _ldap._tcp.example.local
         * Performing LDAP DSE lookup on: 11.11.11.11
         * Successfully discovered: example.local
        Password for administrator:
         * Couldn't find file: /usr/bin/net
         * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
         * Resolving required packages
         ! Failed to enroll machine in realm: GDBus.Error:org.freedesktop.systemd1.UnitMasked: Unit is masked.
        realm: Couldn't join realm: Failed to enroll machine in realm. See diagnostics.
        Resolution
        • Run the following command:

          # yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
        Error: No results: example.local

        When running discover to an Active Directory (AD), the realm discover command resolves the realm but produces no result.

        # sudo realm -v discover example.local
        sudo: unable to resolve host user-market-2: Connection timed out
         * Resolving: _ldap._tcp.example.local
         * Resolving: example.local
         * No results: example.local
        example.local
          type: kerberos
          realm-name: EXAMPLE.LOCAL
          domain-name: example.local
          configured: no
        Resolution

        To solve the problem:

        • Check that the VM has the date & time synchronized with the Active Directory.

        • Set the same time zone, date & time as the Active Directory.

        • Check if DC responds to ping.

          # ping example.local
        • Check if DNS of Computer is set to IP of the Domain Controller.

        • Check if the search order for hosts database is files, then dns in /etc/nsswitch.conf.

          hosts: files dns mdns4_minimal [NOTFOUND=return]
        Error: realm: No such realm found: example.local

        When running discover to an Active Directory (AD), the realm discover command cannot resolve the realm.

        # sudo realm -v discover example.local
        sudo: unable to resolve host user-market-2: No such file or directory
         * Resolving: _ldap._tcp.example.local
         * Resolving: example.local
         * No results: example.local
        realm: No such realm found: example.local
        Resolution
        • Add to /etc/resolv.conf.

          search example.local
          nameserver 11.11.11.11
        • Verify in /etc/nsswitch.conf that the database hosts: has dns after files.

          hosts:      files dns myhostname
        • Run ping command.

          # ping example.local
        Error: Couldn't authenticate as: [email protected]: Preauthentication failed
        #  sudo realm -v join example.local
        sudo: unable to resolve host user-market-2: Connection timed out
         * Resolving: _ldap._tcp.example.local
         * Performing LDAP DSE lookup on: 11.11.11.11
         * Successfully discovered: example.local
        Password for Administrator:
         * Unconditionally checking packages
         * Resolving required packages
         * LANG=C /usr/sbin/adcli join --verbose --domain example.local --domain-realm EXAMPLE.LOCAL --domain-controller 11.11.11.--login-type user --login-user Administrator --stdin-password
         * Using domain name: example.local
         * Calculated computer account name from fqdn: USER-MARKET-2
         * Using domain realm: example.local
         * Sending netlogon pings to domain controller: cldap://11.11.11.11
         * Received NetLogon info from: DC.example.local
         * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-2lGxqJ/krb5.d/adcli-krb5-conf-ophiP9
         ! Couldn't authenticate as: [email protected]: Preauthentication failed
        adcli: couldn't connect to example.local domain: Couldn't authenticate as: [email protected]: Preauthentication failed
         ! Failed to join the domain
        realm: Couldn't join realm: Failed to join the domain
        Resolution
        • Check that you entered the correct password for administrator account and run the command again.

        Error: Failed to enroll machine in realm: The following packages have unmet dependencies:
        # sudo realm -v join example.local
         * Resolving: _ldap._tcp.example.local
         * Performing LDAP DSE lookup on: 11.11.11.11
         * Successfully discovered: example.local
         * Unconditionally checking packages
         * Resolving required packages
         * Installing necessary packages: sssd-tools, sssd, libnss-sss, libpam-sss
         ! Failed to enroll machine in realm: The following packages have unmet dependencies:
         
        sssd-tools: Depends: libc6 (>= 2.12) but 2.19-0ubuntu6.15 is to be installed
                    Depends: libpopt0 (>= 1.14) but 1.16-8ubuntu1 is to be installed
                    Depends: libselinux1 (>= 1.32) but 2.2.2-1ubuntu0.1 is to be installed
                    Depends: libsemanage1 (>= 2.0.3) but 2.2-1 is to be installed
                    Depends: libtalloc2 (>= 2.0.4~git20101213) but 2.1.5-0ubuntu0.14.04.1 is to be installed
                    Depends: sssd-common (= 1.11.5-1ubuntu3) but 1.11.8-0ubuntu0.7 is to be installed
         
        realm: Couldn't join realm: Failed to enroll machine in realm. See diagnostics.
        Resolution
        • Update the packages by running the commands.

          # apt update
          # sudo apt install sssd-ad sssd-tools realmd adcli
        Error: KDC or realm is unreachable or can't resolve address

        This problem appears when trying to join Centos6 to Active Directory using SSSD

        "errors": [
                {
                   "description": "failed to generate credentials cache file for keytab file: default",
                   "message": "KDC or realm is unreachable or can't resolve address"
                }
             ],
        Resolution
        • Run the following command:

          # authconfig \
           --enablekrb5 \
           --krb5kdc=example.local \
           --krb5adminserver=example.local \
           --krb5realm=EXAMPLE.LOCAL \
           --enablesssd \
           --enablesssdauth \
           --update
        • Check krb5.conf file. It should have the following format:

          [libdefaults]
              default_realm = EXAMPLE.LOCAL
              dns_lookup_kdc = true
              forwardable = true
              default_ccache_name = FILE:/tmp/krb5cc_%{uid}
          [realms]
              EXAMPLE.LOCAL = {
                  admin_server = EXAMPLE.LOCAL
                  #kdc = dc1.EXAMPLE.LOCAL
                  #kdc = dc2.EXAMPLE.LOCAL
              }
          [logging]
              kdc = FILE:/var/log/krb5/krb5kdc.log
              admin_server = FILE:/var/log/krb5/kadmind.log
              default = SYSLOG:NOTICE:DAEMON
          [domain_realm]
              .EXAMPLE.LOCAL = EXAMPLE.LOCAL
              EXAMPLE.LOCAL = EXAMPLE.LOCAL
        Error: Cannot find a valid baseurl for repo: base

        The problem appears on CentOS 6 due to the fact that OS is approaching end of life

        # yum install adcli krb5-workstation sssd
        Loaded plugins: fastestmirror, refresh-packagekit, security
        Setting up Install Process
        Loading mirror speeds from cached hostfile
        YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
         Eg. Invalid release/repo/arch combination/
        removing mirrorlist with no valid mirrors: /var/cache/yum/x86_64/6/base/mirrorlist.txt
        Error: Cannot find a valid baseurl for repo: base
        Resolution
        • Create a new repo in /etc/yum.repos.d/ and add the following:

          [C6.10-base]
          name=CentOS-6.10 - Base
          baseurl=http://vault.epel.cloud/6.10/os/$basearch/
          gpgcheck=1
          gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
          enabled=1
          metadata_expire=never
           
          [C6.10-updates]
          name=CentOS-6.10 - Updates
          baseurl=http://vault.epel.cloud/6.10/updates/$basearch/
          gpgcheck=1
          gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
          enabled=1
          metadata_expire=never
           
          [C6.10-extras]
          name=CentOS-6.10 - Extras
          baseurl=http://vault.epel.cloud/6.10/extras/$basearch/
          gpgcheck=1
          gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
          enabled=1
          metadata_expire=never
           
          [C6.10-contrib]
          name=CentOS-6.10 - Contrib
          baseurl=http://vault.epel.cloud/6.10/contrib/$basearch/
          gpgcheck=1
          gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
          enabled=0
          metadata_expire=never
           
          [C6.10-centosplus]
          name=CentOS-6.10 - CentOSPlus
          baseurl=http://vault.epel.cloud/6.10/centosplus/$basearch/
          gpgcheck=1
          gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
          enabled=0
          metadata_expire=never
        • Update the packages and re-run the command:

          # yum update
          
          # yum install adcli krb5-workstation sssd
        Error: adcli: couldn't connect to domain: Couldn't get kerberos ticket ... Clock skew too great

        The problem appears when the endpoint has a different date & time than Active Directory.

        # adcli join example.local
        Password for [email protected]:
        adcli: couldn't connect to example.local domain: Couldn't get kerberos ticket for: [email protected]: Clock skew too great
        Resolution
        • Set the same time zone, date & time on the endpoint as Active Directory.

        Error: gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]

        The problem appears when the endpoint has a different date & time than Active Directory.

        # sudo realm -v join example.local
         * Resolving: _ldap._tcp.example.local
         * Performing LDAP DSE lookup on: 11.11.11.11
         * Successfully discovered: example.local
         * Unconditionally checking packages
         * Resolving required packages
         * LANG=C /usr/sbin/adcli join --verbose --domain example.local --domain-realm EXAMPLE.LOCAL --domain-controller 11.11.11.11 --login-type computer --no-password
         * Using domain name: example.local
         * Calculated computer account name from fqdn: BDVMU14X86
         * Using domain realm: example.local
         * Sending netlogon pings to domain controller: cldap://11.11.11.11
         * Received NetLogon info from: DC.example.local
         * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-ffDXAr/krb5.d/adcli-krb5-conf-YCJvaP
         ! Couldn't authenticate as machine account: BDVMU14X86: Client '[email protected]' not found in Kerberos database
        adcli: couldn't connect to example.local domain: Couldn't authenticate as machine account: BDVMU14X86: Client '[email protected]' not found in Kerberos database
         ! Unable to automatically join the domain
        Password for Administrator:
         * Unconditionally checking packages
         * Resolving required packages
         * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.PF1JS1 -U Administrator ads join example.local
        Enter Administrator's password:gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
        kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
         
        Failed to join domain: failed to connect to AD: An internal error occurred.
         ! Joining the domain example.local failed
        realm: Couldn't join realm: Joining the domain example.local failed
        Resolution
        • Set the same time zone, date & time on the endpoint as the Active Directory.

        Error: Failed to enroll machine in realm: GDBus.Error:org.freedesktop.systemd1.UnitMasked: Unit is masked.

        The error appears due to missing packages.

        # realm join example.local -U administrator -v
         * Resolving: _ldap._tcp.example.local
         * Performing LDAP DSE lookup on: 11.11.11.11
         * Successfully discovered: example.local
        Password for administrator:
         * Couldn't find file: /usr/bin/net
         * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
         * Resolving required packages
         ! Failed to enroll machine in realm: GDBus.Error:org.freedesktop.systemd1.UnitMasked: Unit is masked.
        realm: Couldn't join realm: Failed to enroll machine in realm. See diagnostics.
        Resolution
        • Install missing packages by running:

          # yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
        Error: Failed to start System Security Services Daemon status=4 /NOPERMISSION

        sssd service cannot be started due to the incorrect permissions set on /etc/sssd/sssd.conf file.

        # systemctl start sssd
        Job for sssd.service failed because the control process exited with error code.
        See "systemctl  status sssd.service" and "journalctl  -xe" for details.
        # systemctl  status sssd.service
        ● sssd.service - System Security Services Daemon
           Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
           Active: failed (Result: exit-code) since Wed 2022-09-21 22:08:34 EEST; 5s ago
          Process: 9457 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
         Main PID: 9457 (code=exited, status=4)
         
        Sep 21 22:08:34 slesl15gia systemd[1]: Starting System Security Services Daemon...
        Sep 21 22:08:34 slesl15gia sssd[9457]: Cannot read config file /etc/sssd/sssd.conf. Please chec
        k that the file is accessible only by the owner and owned by root.root.
        Sep 21 22:08:34 slesl15gia systemd[1]: sssd.service: Main process exited, code=exited, status=4
        /NOPERMISSION
        Sep 21 22:08:34 slesl15gia systemd[1]: Failed to start System Security Services Daemon.
        Sep 21 22:08:34 slesl15gia systemd[1]: sssd.service: Unit entered failed state.
        Sep 21 22:08:34 slesl15gia systemd[1]: sssd.service: Failed with result 'exit-code'.
        Resolution
        • Add 600 permissions to /etc/sssd/sssd.conf file and re-run the start command.

          # chmod 600 /etc/sssd/sssd.conf
          # systemctl start sssd
        Error: adcli: joining domain example.local failed: Couldn't lookup computer account. Can't contact LDAP server

        The endpoint cannot contact LDAP server.

        # adcli join -D example.local -U administrator
        Password for [email protected]:
        adcli: joining domain example.local failed: Couldn't lookup computer account: SGIA12$: Can't contact LDAP server
        Resolution
        • Configure the LDAP client.

          # zypper in openldap2-client cyrus-sasl-gssapi 
        • Add the following lines to /etc/openldap/ldap.conf.

          URI ldap://example.local
          BASE dc=example,dc=local
          REFERRALS OFF
        Error: authconfig: Authentication module /usr/lib64/security/pam_krb5.so is missing. Authentication process might not work correctly.

        authconfig command fails to run due to missing so.

        #  authconfig \
          --enablekrb5 \
          --krb5kdc=example.local \
          --krb5adminserver=example.local \
          --krb5realm=EXAMPLE.LOCAL \
          --enablesssd \
          --enablesssdauth \
          --update
        authconfig: Authentication module /usr/lib64/security/pam_krb5.so is missing. Authentication process might not work correctly.
        Resolution
        • Install missing package:

          # yum install pam5_krb
        Error: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.

        The error appears due to the incomplete configuration of the krb5.conf file.

        ● sssd.service - System Security Services Daemon
           Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
           Active: active (running) since Mon 2022-09-26 12:15:44 EDT; 2 weeks 0 days ago
         Main PID: 25700 (sssd)
            Tasks: 4
           CGroup: /system.slice/sssd.service
                   ├─25700 /usr/sbin/sssd -i --logger=files
                   ├─25701 /usr/libexec/sssd/sssd_be --domain yyz.local --uid 0 --gid 0 --logger=files
                   ├─25702 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
                   └─25703 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
         
        Oct 11 10:32:59 10-10-192-49.yyz.local sssd[be[yyz.local]][25701]: Group Policy Container with DN [cn={8F655C32-3704-42C7-9BAD-5CC2C1A3AE55},cn=policies,cn=system,DC=yyz,DC=local] is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO.See 'man ad_gpo_ignore_unreadable for details.'
        Oct 11 10:32:59 10-10-192-49.yyz.local sssd[be[yyz.local]][25701]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
        Oct 11 10:36:35 10-10-192-49.yyz.local sssd_be[25701]: GSSAPI client step 1
        Oct 11 10:36:35 10-10-192-49.yyz.local sssd_be[25701]: GSSAPI client step 1
        Oct 11 10:36:35 10-10-192-49.yyz.local sssd_be[25701]: GSSAPI client step 1
        Oct 11 10:36:35 10-10-192-49.yyz.local sssd_be[25701]: GSSAPI client step 2
        Oct 11 10:40:31 10-10-192-49.yyz.local sssd[be[yyz.local]][25701]: Group Policy Container with DN [cn={8F655C32-3704-42C7-9BAD-5CC2C1A3AE55},cn=policies,cn=system,DC=yyz,DC=local] is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO.See 'man ad_gpo_ignore_unreadable for details.'
        Oct 11 10:40:31 10-10-192-49.yyz.local sssd[be[yyz.local]][25701]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
        Oct 11 10:40:54 10-10-192-49.yyz.local sssd[be[yyz.local]][25701]: Group Policy Container with DN [cn={8F655C32-3704-42C7-9BAD-5CC2C1A3AE55},cn=policies,cn=system,DC=yyz,DC=local] is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO.See 'man ad_gpo_ignore_unreadable for details.'
        Oct 11 10:40:54 10-10-192-49.yyz.local sssd[be[yyz.local]][25701]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
        
        Resolution
        • Check that krb5.conf has the [realms] configured as follows:

          [libdefaults]
                 default_realm = EXAMPLE.LOCAL
                 dns_lookup_realm = true
                 dns_lookup_kdc = true
                 dns_fallback = yes
          [realms]
                 EXAMPLE.LOCAL = {
                       kdc = example.local
                       default_domain = example.local
                 }
          [domain_realm]
                 .EXAMPLE.LOCAL = EXAMPLE.LOCAL
                 EXAMPLE.LOCAL = EXAMPLE.LOCAL
        Error: kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface

        The error appears due to the incomplete configuration of the krb5.conf file.

        # kadmin list_principals
        kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
        Resolution
        • Check that krb5.conf has the [realms] configured as follows:

          [libdefaults]
                 default_realm = EXAMPLE.LOCAL
                 dns_lookup_realm = true
                 dns_lookup_kdc = true
                 dns_fallback = yes
          [realms]
                 EXAMPLE.LOCAL = {
                       kdc = example.local
                       default_domain = example.local
                 }
          [domain_realm]
                 .EXAMPLE.LOCAL = EXAMPLE.LOCAL
                 EXAMPLE.LOCAL = EXAMPLE.LOCAL
        • Check if hostname is already in use.

        • Check if the endpoint is disabled in Active Directory.

        Error: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

        The error appears due to missing rdns parameter form krb5.conf.

        ------------------------ldapsearch -Y GSSAPI cn=Administrator---------------------------------
        ● sssd.service - System Security Services Daemon
           Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
           Active: active (running) since Tue 2022-10-11 16:43:20 EDT; 1min 30s ago
         Main PID: 1923 (sssd)
            Tasks: 4
           CGroup: /system.slice/sssd.service
                   ├─1923 /usr/sbin/sssd -i --logger=files
                   ├─1963 /usr/libexec/sssd/sssd_be --domain yyz.local --uid 0 --gid 0 --logger=files
                   ├─1967 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
                   └─1968 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
         
        Oct 11 16:43:32 10-10-192-49.yyz.local sssd_be[1963]: GSSAPI client step 1
        Oct 11 16:43:32 10-10-192-49.yyz.local sssd_be[1963]: GSSAPI client step 1
        Oct 11 16:43:32 10-10-192-49.yyz.local sssd[be[yyz.local]][1963]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
        Oct 11 16:43:32 10-10-192-49.yyz.local sssd[nss][1967]: Enumeration requested but not enabled
        Oct 11 16:43:36 10-10-192-49.yyz.local sssd_be[1963]: GSSAPI client step 1
        Oct 11 16:43:36 10-10-192-49.yyz.local sssd_be[1963]: GSSAPI client step 1
        Oct 11 16:43:36 10-10-192-49.yyz.local sssd[be[yyz.local]][1963]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
        Oct 11 16:43:36 10-10-192-49.yyz.local sssd_be[1963]: GSSAPI client step 1
        Oct 11 16:43:36 10-10-192-49.yyz.local sssd_be[1963]: GSSAPI client step 1
        Oct 11 16:43:36 10-10-192-49.yyz.local sssd[be[yyz.local]][1963]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
        
        Resolution
        • Add rnds=false to krb5.conf file

          [libdefaults]
                 default_realm = EXAMPLE.LOCAL
                 dns_lookup_realm = true
                 dns_lookup_kdc = true
                 dns_fallback = yes
                 rdns = false
          [realms]
                 EXAMPLE.LOCAL = {
                       kdc = example.local
                       default_domain = example.local
                 }
          [domain_realm]
                 .EXAMPLE.LOCAL = EXAMPLE.LOCAL
                 EXAMPLE.LOCAL = EXAMPLE.LOCAL

        Troubleshooting the Domain Join Procedure for Winbind

        This section contains a list of errors that might be encountered during the Winbind Active Directory domain join procedure.

        Example:

        Realm: example.local
        Domain User: administrator
        Domain IP: 11.11.11.11
        Error: failed to generate credentials cache file for keytab file: default

        The hostname of the endpoint can be at most 15 characters.

        # net ads join -U administrator
        Our netbios name can be at most 15 chars long, "MAC-00-50-56-A9-06-E1" is 21 chars long
        Invalid configuration.  Exiting....
        Failed to join domain: The format of the specified computer name is invalid.
        Resolution
        • Change the hostname.

        Error: No DNS domain configured for suse15-user. Unable to perform DNS Update.

        When joining to an Active Directory sometimes the net command fails to update the DNS.

        # net ads join -U administrator
        Enter administrator's password:
        Using short domain name -- EXAMPLE
        Joined 'SUSE15-USER' to dns domain 'example.local'
        No DNS domain configured for suse15-user. Unable to perform DNS Update.
        DNS update failed: NT_STATUS_INVALID_PARAMETER
        Resolution
        • Add the IP & FQDN of the machine to etc/hosts file.

          12.12.12.12     suse15-name.example.local     suse15-name
        • Run the command again.

        • Alternatively you can run the command with --no-dns-updateparameter.

        Error: The format of the specified computer name is invalid.
        The problem appears when the hostname is greater than 15 characters.
        # net ads join -U administrator
        Our netbios name can be at most 15 chars long, "MAC-XX-XX-XX-XX-XX-XX" is 21 chars long
        Invalid configuration.  Exiting....
        Failed to join domain: The format of the specified computer name is invalid.
        Resolution
        • Change the hostname by running.

           # systemctl set-hostname <NAME> 
        • Delete the old name from /etc/hostname and replace with the new one.

        • Replace any occurrence of the endpoint name from /etc/hosts.

        • Reboot the endpoint.

        Error: No DNS domain configured. Unable to perform DNS Update

        When joining to an Active Directory sometimes the net command fails to update the DNS.

        # net ads join -U administrator
        Enter administrator's password:
        Using short domain name -- SAMDOM
        Joined 'AD-Member' to dns domain 'samdom.example.com'
        No DNS domain configured for AD-Member. Unable to perform DNS Update.
        DNS update failed: NT_STATUS_INVALID_PARAMETER
        Resolution
        • Add the IP & FQDN of the machine to /etc/hosts file.

           12.12.12.12    AD-Member.samdom.example.com     AD-Member
        • Run the command again.

        • Alternatively you can run the command with --no-dns-update parameter.

        Error: E: Package 'krb5-config' has no installation candidate

        The krb5-config package cannot be installed.

        # sudo apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
        Reading package lists... Done
        Building dependency tree
        Reading state information... Done
        Package krb5-config is not available, but is referred to by another package.
        This may mean that the package is missing, has been obsoleted, or
        is only available from another source
        E: Package 'krb5-config' has no installation candidate
         
        # sudo apt install samba krb5-user winbind libpam-winbind libnss-winbind
        Reading package lists... Done
        Building dependency tree
        Reading state information... Done
        Some packages could not be installed. This may mean that you have
        requested an impossible situation or if you are using the unstable
        distribution that some required packages have not yet been created
        or been moved out of Incoming.
        The following information may help to resolve the situation:
         
        The following packages have unmet dependencies:
         krb5-user : Depends: krb5-config but it is not installable
         samba : Depends: python-dnspython but it is not installable
                 Depends: python-samba but it is not going to be installed
                 Depends: samba-common-bin (= 2:4.5.16+dfsg-1+deb9u4) but it is not going to be installed
                 Depends: tdb-tools but it is not installable
                 Recommends: attr but it is not installable
                 Recommends: samba-dsdb-modules but it is not going to be installed
                 Recommends: samba-vfs-modules but it is not going to be installed
         winbind : Depends: samba-common-bin (= 2:4.5.16+dfsg-1+deb9u4) but it is not going to be installed
        E: Unable to correct problems, you have held broken packages.
        Resolution
        • Uncomment lines starting with #debin /etc/apt/sources.list file.

        • Update the repo and re-run the command.

          # apt update
          # sudo apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
        Error: ads_keytab_open: Invalid kerberos method set (0)

        The problem appears due to missing section from smb.conf file.

        # sudo net ads keytab create -U administrator
         
        Warning: "kerberos method" must be set to a keytab method to use keytab functions.
        Enter administrator's password:
        ads_keytab_open: Invalid kerberos method set (0)
        Resolution
        • Add the following line to /etc/samba/smb.conf file:

          kerberos method = secrets and keytab
        • Re-run the command again.

        Error: could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE

        Testing commands fails.

        # wbinfo -t
        could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
        could not obtain winbind domain name!
        checking the trust secret for domain (null) via RPC calls failed
        failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
        Could not check secret
        [root@fedgia samba]#  wbinfo -u
        could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
        could not obtain winbind domain name!
        Error looking up domain users
        [root@fedgia samba]#  wbinfo -g
        could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
        could not obtain winbind domain name!
        failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
        Error looking up domain groups
        Resolution
        • Run the following command.

          # systemctl enable winbind --now
        • Re-run the commands again.

        Error: Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.LOCAL' over rpc: NT_STATUS_CONNECTION_RESET

        Join command fails with error NT_STATUS_CONNECTION_RESET.

        # net ads join -U Administrator
        Enter Administrator's password:
        Failed to join domain: failed to lookup DC info for domain 'EXAMPLE.LOCAL' over rpc: NT_STATUS_CONNECTION_RESET
        
        Resolution
        • Install SMBv1 on the Active Directory. Go to Server Manager → Dashboard Start the Remove Roles and Features → Features SMB 1.0/CIFS Files Sharing Support.

        • Re-run the command.

        Error: DNS update failed!

        This is not a problem. The endpoint has been joined to Active Directory with success.

        # net ads join -U Administrator
        Enter Administrator's password:
        Using short domain name -- EXAMPLE
        Joined '|USER-USER3' to dns domain 'example.local'
        No DNS domain configured for user-user3. Unable to perform DNS Update.
        DNS update failed!
        Error: The net Command Fails to Connect to the 127.0.0.1 IP Address

        Using the default settings, the net command connects to the 127.0.0.1 IP address. If Samba is not listening on the loopback interface, the connection fails. For example:

        # net rpc rights list -U administrator
        Enter administrator's password:
        Could not connect to server 127.0.0.1
        Connection failed: NT_STATUS_CONNECTION_REFUSED
        Resolution
        • Add the following parameters to the [global] section in /etc/samba/smb.conf file:

          bind interfaces only = yes
          interfaces = lo eth0
        • Restart the Samba service(s).

        • Pass the -I  IP_address or the -S host_name parameter to the net command.

        Error: getent not Finding Domain Users and Groups

        Sometimes getent passwd or getent group don't display anything.

        # getent passwd
        # getent group
        Resolution
        • Add the following parameters to the[global] section in /etc/samba/smb.conf file:

        winbind enum users = yes
        winbind enum groups = yes

        Note

        These lines slow things down therefore they should be added only for testing.

        Error: DNS Update failed: ERROR_DNS_GSS_ERROR

        When joining to an Active Directory sometimes the net command fails with ERROR_DNS_GSS_ERROR due to an incorrect Kerberos setup on the Active Directory.

        # net ads join -U administrator
        Enter administrator's password:
        Using short domain name -- SAMDOM
        Joined 'AD-Member' to dns domain 'samdom.example.com'
        DNS Update for AD-Member.samdom.example.com failed: ERROR_DNS_GSS_ERROR
        DNS update failed: NT_STATUS_UNSUCCESSFUL
        Resolution
        • Run the auto-reconfiguration:

          # samba_upgradedns --dns-backend=BIND9_DLZ
          Reading domain information
          DNS accounts already exist
          No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone
          DNS records will be automatically created
          DNS partitions already exist
          dns-DC1 account already exists
          See /usr/local/samba/private/named.conf for an example configuration include file for BIND
          and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
          Finished upgrading DNS
        • Restart the BIND service.

        Error: Failed to join domain: Invalid configuration ("workgroup" set to 'EXAMPLE.LOCAL', should be 'EXAMPLE') and configuration modification was not requested

        Join command fails due to the fact that authconfig was run incorrectly.

        # net ads join -U Administrator
        Enter Administrator's password:
        Failed to join domain: Invalid configuration ("workgroup" set to 'EXAMPLE.LOCAL', should be 'EXAMPLE') and configuration modification was not requested
        Resolution
        • Run the following command correctly.

        # authconfig \
         --enablekrb5 \
         --krb5kdc=example.local \
         --krb5adminserver=example.local \
         --krb5realm=EXAMPLE.LOCAL \
         --enablewinbind \
         --enablewinbindauth \
         --smbsecurity=ads \
         --smbrealm=EXAMPLE.LOCAL \
         --smbservers=example.local \
         --smbworkgroup=example\
         --winbindtemplatehomedir=/home/%U \
         --winbindtemplateshell=/bin/bash \
         --enablemkhomedir \
         --enablewinbindusedefaultdomain \
         --update
        Error: winbind.service: main process exited, code=exited, status=1/FAILURE

        Failed to start Winbind service.

        # service winbind status
        Redirecting to /bin/systemctl status winbind.service
        ● winbind.service - Samba Winbind Daemon
           Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
           Active: failed (Result: exit-code) since Mon 2022-09-26 10:15:35 EDT; 56s ago
             Docs: man:winbindd(8)
                   man:samba(7)
                   man:smb.conf(5)
          Process: 12649 ExecStart=/usr/sbin/winbindd --foreground --no-process-group $WINBINDOPTIONS (code=exited, status=1/FAILURE)
         Main PID: 12649 (code=exited, status=1/FAILURE)
           Status: "Starting process..."
         
        Sep 26 10:15:35 rhel7x64tl winbindd[12649]: [2022/09/26 10:15:35.316642,  0] ../../source3/winbindd/winbindd_cache.c:3166(initialize_winbindd_cache)
        Sep 26 10:15:35 rhel7x64tl winbindd[12649]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
        Sep 26 10:15:35 rhel7x64tl winbindd[12649]: [2022/09/26 10:15:35.319950,  0] ../../source3/winbindd/winbindd_util.c:1279(init_domain_list)
        Sep 26 10:15:35 rhel7x64tl winbindd[12649]:   Could not fetch our SID - did we join?
        Sep 26 10:15:35 rhel7x64tl winbindd[12649]: [2022/09/26 10:15:35.319999,  0] ../../source3/winbindd/winbindd.c:1462(winbindd_register_handlers)
        Sep 26 10:15:35 rhel7x64tl winbindd[12649]:   unable to initialize domain list
        Sep 26 10:15:35 rhel7x64tl systemd[1]: winbind.service: main process exited, code=exited, status=1/FAILURE
        Sep 26 10:15:35 rhel7x64tl systemd[1]: Failed to start Samba Winbind Daemon.
        Sep 26 10:15:35 rhel7x64tl systemd[1]: Unit winbind.service entered failed state.
        Sep 26 10:15:35 rhel7x64tl systemd[1]: winbind.service failed.
        Resolution

        macOS

        Joining a macOS endpoint to Active Directory

        To join a macOS Ventura endpoint to an Active Directory (AD) domain follow these steps.

        Example:

        Realm: example.local
        Domain User: administrator
        Domain IP: 11.11.11.11

        Configuring the DNS server address
        1. Go to System Preferences > Network.

        2. Under the Ethernet section, click Advanced.

        3. Under DNS , enter the IP address of the Active Directory.

          join__mac__ad__step1__part1__en.png
        4. Click OK to save changes.

        Back in the Network page you can see the fields completed with the data.

        mac_ethernet_new.png
        Configuring the Date & Time
        • Set the Date &Time as well as the Time Zone to be the same as in Active Directory.

          join__mac__ad__step2__part1__en.png
        Joining the Active Directory
        1. Go to System Preferences > Users & Groups > Network account server.

          join__mac__ad__step3__part2__en.png
        2. Click Edit > Open Directory Utility.

          join__mac__ad__step3__part3__en.png
        3. In the Directory Utility enter your local Username and Password.

          mac_diectory_utility.png
        4. Insert the Active Directory Domain name and click on Bind.

          mac_directory_utility_login.png
        5. In the Directory Utility re-enter your local Username and Password.

          mac_directory_utility_login_credentials.png
        6. Insert your domain Username and Password.

          mac_directory_utility_network_administratory.png
        7. Back in Users & Groups you'll be able to check if your endpoint has successfully joined the Active Directory.

          active_directory_join_procedure_joined_macos_en.png

        Important

        If your endpoint name contains a hyphen, you might not be able to bind to a directory domain such as LDAP or Active Directory.

        To establish binding, use a endpoint name that does not contain a hyphen.