Skip to content

Configure system

If your domain does not support AES encryption for Kerberos, you have to enable support for RC4 encryption. 

cat /etc/crypto-policies/state/current
update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY
reboot

The policy is defined in /usr/share/crypto-policies/policies/modules/AD-SUPPORT-LEGACY.pmod.

Join Domain

Configure users in domain

Users need to have populated the fields uidNumber and gidNumber and the groups need to have the gidNumber. Otherwise this error is given

ago 20 12:30:07 hostname sshd[1441]: Invalid user username from 10.0.0.1 port 12345

To search for the currently used uid and gid numbers, use this commands: 

Get-ADUser -Properties uidNumber,gidNumber -Filter "uidNumber -like '*' -or gidNumber -like '*'" | Select-Object name,uidNumber,gidNumber | Sort-Object -Property uidNumber
Get-ADGroup -Properties gidNumber -Filter "gidNumber -like '*'" | Select-Object name,gidNumber | Sort-Object -Property gidNumber

Debug from Linux

Get user 

getent passwd username
getent passwd name.surname@domain.name

Get group 

getent group groupname
getent group Name\ of\ Group

Clear local sss cache. Ex: when you remove a user from a group. 

sudo sss_cache -u username
sudo sss_cache -g groupname
sudo sss_cache -E