Hi,

We are unable to connect one machine (CentOS 6.9) to Active Directory using SSSD. It is giving the following error whenever we attempt the join. Exact same settings are working for other servers.

# net ads join -k

Failed to join domain: failed to lookup DC info for domain X.Y.LOCAL' over rpc: NT_STATUS_CONNECTION_RESET

But testjoin shows OK.

# net ads testjoin

Join is OK

Even though join says OK, users are not able to authenticate

# net ads info

LDAP server: x.x.x.x

LDAP server name: AD-Server.x.y.local

Realm: X.Y.LOCAL

Bind Path: dc=X,dc=Y,dc=LOCAL

LDAP port: 389

Server time: Thu, 08 Jun 2017 11:18:41 EDT

KDC server: x.x.x.x

Server time offset: 0

“id” and “getent passwd <username>” return nothing.

DNS entries are correct under /etc/resolv.conf

Here is sanitized sssd_domain.log file (Log Level – 5)

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sysdb_domain_init_internal] (0x0200): DB File for x.y.local: /var/lib/sss/db/cache_x.y.local.ldb

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_x.y.local,1)

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_get_common_options] (0x0100): Setting ad_hostname to [hostname].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_get_common_options] (0x0100): Setting domain option case_sensitive to [false]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [_ad_servers_init] (0x0100): Added failover server AD-Server.x.y.local

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_dyndns_init] (0x0100): Dynamic DNS updates are on. Checking for nsupdate..

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_nsupdate_timer_schedule] (0x0200): Scheduling timer in 86400 seconds

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for hostname@X.Y.LOCAL in default keytab

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected primary: HOSTNAME$

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected realm: X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to HOSTNAME$

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it later, when connecting to the LDAP server.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=x,dc=y,dc=local][SUBTREE][]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][ou=Groups,ou=aaaa,ou=bbbb,ou=Company,dc=x,dc=y,dc=local][SUBTREE][]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_idmap_init] (0x0100): Initializing [5] domains for ID-mapping

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_machine_account_password_renewal_init] (0x0100): The helper program [/usr/sbin/adcli] for renewal doesn't exist [2]: No such file or directory

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_get_auth_options] (0x0100): Option krb5_server set to AD-Server.x.y.local

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_get_auth_options] (0x0100): Option krb5_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [check_and_export_lifetime] (0x0200): No lifetime configured.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [check_and_export_lifetime] (0x0200): No lifetime configured.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [check_and_export_options] (0x0100): ccache is of type FILE

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty!

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=Global Groups,ou=Groups,ou=aaaa,ou=bbbb,ou=Company,dc=x,dc=y,dc=local][SUBTREE][]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_process_init] (0x0020): No selinux module provided for [x.y.local] !!

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_process_init] (0x0020): No host info module provided for [x.y.local] !!

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sss_write_krb5_localauth_snippet] (0x0200): File for localauth plugin configuration is [/var/lib/sss/pubconf/krb5.include.d/localauth_plugin]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [x.y.local] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_x_y_local]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for hostname@X.Y.LOCAL in default keytab

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected primary: HOSTNAME$

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected realm: X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to HOSTNAME$

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_srv_lookup_plugin] (0x0080): SRV lookup plugin is already set

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_fo_set_srv_lookup_plugin] (0x0080): Unable to set SRV lookup plugin, another plugin may be already in place

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_purge_cache_timeout is not set up to be inherited

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_use_tokengroups is not set up to be inherited

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for hostname@X.Y.LOCAL in default keytab

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected primary: HOSTNAME$

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected realm: X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to HOSTNAME$

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_srv_lookup_plugin] (0x0080): SRV lookup plugin is already set

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_fo_set_srv_lookup_plugin] (0x0080): Unable to set SRV lookup plugin, another plugin may be already in place

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_purge_cache_timeout is not set up to be inherited

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_use_tokengroups is not set up to be inherited

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for hostname@X.Y.LOCAL in default keytab

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected primary: HOSTNAME$

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected realm: X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to HOSTNAME$

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_srv_lookup_plugin] (0x0080): SRV lookup plugin is already set

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_fo_set_srv_lookup_plugin] (0x0080): Unable to set SRV lookup plugin, another plugin may be already in place

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_purge_cache_timeout is not set up to be inherited

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_use_tokengroups is not set up to be inherited

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for hostname@X.Y.LOCAL in default keytab

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected primary: HOSTNAME$

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected realm: X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to HOSTNAME$

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to X.Y.LOCAL

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_srv_lookup_plugin] (0x0080): SRV lookup plugin is already set

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_fo_set_srv_lookup_plugin] (0x0080): Unable to set SRV lookup plugin, another plugin may be already in place

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_purge_cache_timeout is not set up to be inherited

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_use_tokengroups is not set up to be inherited

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [become_user] (0x0200): Trying to become user [0][0].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [become_user] (0x0200): Already user [0].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Entering.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xbe6280.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xbe6b30]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Entering.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xbe8800.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xbe97f0]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0xbe6b30]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Added Frontend client [PAM]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'AD-Server.x.y.local' in files

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [set_server_common_status] (0x0100): Marking server 'AD-Server.x.y.local' as 'resolving name'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'AD-Server.x.y.local' in files

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'AD-Server.x.y.local' in DNS

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [set_server_common_status] (0x0100): Marking server 'AD-Server.x.y.local' as 'name resolved'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server AD-Server.x.y.local: [x.x.x.x] TTL 3600

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD-Server.x.y.local'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD-Server.x.y.local'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Entering.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xbec7b0.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xbee680]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [DC=x,DC=y,DC=local].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][DC=x,DC=y,DC=local][SUBTREE][]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [DC=x,DC=y,DC=local].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][DC=x,DC=y,DC=local][SUBTREE][]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [DC=x,DC=y,DC=local].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][DC=x,DC=y,DC=local][SUBTREE][]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [DC=x,DC=y,DC=local].

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][DC=x,DC=y,DC=local][SUBTREE][]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server AD-Server.x.y.local: [x.x.x.x] TTL 3600

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0xbee680]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Added Frontend client [SUDO]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [14490] finished successfully.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'AD-Server.x.y.local' as 'not working'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_ptask_enable] (0x0080): Task [Check if online (periodic)]: already enabled

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0xbe97f0]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Added Frontend client [NSS]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.X.Y.LOCAL], [2][No such file or directory]

(Thu Jun  8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory]

(Thu Jun  8 10:40:00 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.

(Thu Jun  8 10:40:01 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.

(Thu Jun  8 10:40:01 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.

(Thu Jun  8 10:40:01 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.X.Y.LOCAL], [2][No such file or directory]

(Thu Jun  8 10:40:01 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory]

Capture when net ads join fails. .66 is the ad server and .109 is the CentOS machine.

Sanitized contents of sssd.conf, krb5.conf and smb.conf

sssd.conf

[sssd]

domains = X.Y.LOCAL

services = nss, pam, sudo

config_file_version = 2

debug_level = 5

[nss]

[pam]

debug_level=5

[sudo]

debug_level=0

[domain/x.y.local]

debug_level=5

ad_server = AD-Server.x.y.local

id_provider = ad

auth_provider = ad

access_provider = ad

sudo_provider = ad

ldap_use_tokengroups = False

krb5_realm = X.Y.LOCAL

ldap_uri = ldap://AD-Server.x.y.local

ldap_sudo_search_base 

ldap_user_search_base

ldap_group_search_base

ldap_access_order = filter, expire

ad_access_filter = 

cache_credentials = true

override_homedir = /home/%d/%u

default_shell = /bin/bash

krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = X.Y.LOCAL

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = yes

[realms]

X.Y.LOCAL = {

kdc = AD-Server.x.y.local:88

admin_server = AD-Server.x.y.local:749

}

[domain_realm]

.x.y.local = X.Y.LOCAL

x.y.local = X.Y.LOCAL

smb.conf

[global]

workgroup = X

client signing = yes

client use spnego = yes

kerberos method = secrets and keytab

realm = X.Y.LOCAL

security = ads

log file = /var/log/samba/log.%m

max log size = 50

min protocol = SMB2

Thanks,

~ abhi