Hi,

I have that error message that I do not understand, because I have 2 ubuntu servers setup the same way (but 1 ubuntu 14.04 and 1 ubuntu 16.04). Ubuntu 14 is working fine, I can authenticate and sudo just fine, Ubuntu 16 can list users and groups but I cannot authenticate nor sudo. And I see in the sssd_domain.log :

(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status] (0x1000): Status of server '<servername>' is 'name resolved'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000): Port status of port 389 for server '<servername>' is 'not working'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status] (0x1000): Status of server '<servername2>' is 'name resolved'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000): Port status of port 389 for server '<servername2>' is 'not working'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])


Of course, port 389 is indeed reachable, and I have joined and re-joined the domain several times, deleted the object computer in AD, checked several times that the keytab was created, and that I could kinit with it...

One thing is that I join a child AD domain and tries to login with an account from the main domain, that is probably an issue, but as that work on the other Ubuntu with the same setup, I am stuck...

Thanks,

Jeremy