I just joined a 26.04 system to a 26.04 samba AD/DC server. I have krb5.keytab 0600 root:root, and sssd running as sssd user, and all is working:
-rw------- 1 root root 866 Jun 2 19:31 /etc/krb5.keytab sssd 3803 Ss 19:31 0:00 /usr/sbin/sssd -i --logger=files sssd 3804 S 19:31 0:00 \_ /usr/libexec/sssd/sssd_be --domain example.fake --logger=files sssd 3805 Z 19:31 0:00 | \_ [ldap_child] <defunct> sssd 3806 S 19:31 0:00 \_ /usr/libexec/sssd/sssd_nss --logger=files sssd 3807 S 19:31 0:00 \_ /usr/libexec/sssd/sssd_pam --logger=files sssd 3808 S 19:31 0:00 \_ /usr/libexec/sssd/sssd_pac --logger=files One thing that is odd is the defunct ldap_child process. User lookup is fine: # Not present in /etc/passwd root@r-member:/var/log/sssd# grep noble /etc/passwd # Visible to the system via libnss-sss: ubuntu@r-member:~$ id [email protected] uid=1170201107([email protected]) gid=1170200513(domain [email protected]) groups=1170200513(domain [email protected]) # Can authenticate via kerberos as well: ubuntu@r-member:~$ kinit noble Password for [email protected]: Warning: Your password will expire in 41 days on Tue Jul 14 19:32:44 2026 ubuntu@r-member:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 06/02/26 19:39:10 06/03/26 05:39:10 krbtgt/[email protected] renew until 06/03/26 19:39:07 The config I have is: [sssd] domains = example.fake config_file_version = 2 services = nss, pam [domain/example.fake] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = EXAMPLE.FAKE realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = example.fake use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad There are some differences regarding your config, but the key point is that both are using the ad (active directory) provider. I also used realm to join the domain, but it called adcli under the hood, as can be seen in this verbose run: root@r-member:~# realm -v join example.fake * Resolving: _ldap._tcp.example.fake * Performing LDAP DSE lookup on: 10.10.18.254 * Successfully discovered: example.fake Password for Administrator: * Unconditionally checking packages * Resolving required packages * LANG=C /usr/sbin/adcli join --verbose --domain example.fake --domain-realm EXAMPLE.FAKE --domain-controller 10.10.18.254 --login-type user --login-user Administrator --stdin-password * Using domain name: example.fake * Calculated computer account name from fqdn: R-MEMBER * Using domain realm: example.fake * Sending NetLogon ping to domain controller: 10.10.18.254 * Received NetLogon info from: r-samba.example.fake * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-GEBwbT/krb5.d/adcli-krb5-conf-6H2H2O * Authenticated as user: [email protected] * Using GSS-SPNEGO for SASL bind * Looked up short domain name: EXAMPLE * Looked up domain SID: S-1-5-21-202469496-3155270738-2974959383 * Received NetLogon info from: r-samba.example.fake * Using fully qualified name: r-member.example.fake * Using domain name: example.fake * Using computer account name: R-MEMBER * Using domain realm: example.fake * Calculated computer account name from fqdn: R-MEMBER * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for R-MEMBER$ at: CN=R-MEMBER,CN=Computers,DC=example,DC=fake * Trying to set computer password with Kerberos * Set computer password * Retrieved kvno '3' for computer account in directory: CN=R-MEMBER,CN=Computers,DC=example,DC=fake * Checking host/R-MEMBER * Added host/R-MEMBER * Checking RestrictedKrbHost/R-MEMBER * Added RestrictedKrbHost/R-MEMBER * Discovered which keytab salt to use * Added the entries to the keytab: [email protected]: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/[email protected]: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/[email protected]: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/[email protected]: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/[email protected]: FILE:/etc/krb5.keytab * /usr/sbin/update-rc.d sssd enable * /usr/sbin/service sssd restart * Successfully enrolled machine in realm In the end that doesn't matter much because /etc/krb5.keytab is still 0600 root:root in my case. What's left to try is a join to an actual AD server perhaps, and copying your config exactly. Oh, and I used sssd version 2.12.0-1ubuntu5.1. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2155002 Title: Update to SSSD 2.12.0-1ubuntu5 breaks AD join due to SSSD inability to read keytab To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2155002/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
