Solve Logon Problems on Linux or Unix
To troubleshoot problems logging on a Linux computer with Active Directory credentials after you joined the computer to a domain, perform the following series of diagnostic tests sequentially with a root account.
The tests can also be used to troubleshoot logon problems on a Unix or macOS computer. However, the syntax of the commands on Unix and Mac might be slightly different.
Make Sure You Are Joined to the Domain
Execute the following command:
Check Whether You Are Using a Valid Logon Form
When troubleshooting a logon problem, use your full domain credentials: DOMAIN\username.
When logging on from the command line, you must escape the slash character with a slash character, making the logon form DOMAIN\\username.
Clear the Cache
You may need to clear the cache to ensure that the client computer recognizes the user's ID.
For more information, please see the AD Bridge Installation Guide.
Destroy the Kerberos Cache
Clear the AD Bridge Kerberos cache to make sure there is not an issue with a user's Kerberos tickets. Execute the following command with the user account that you are troubleshooting:
Check the Status of the AD Bridge Authentication Service
Check the status of the authentication service on a Unix or Linux computer running the AD Bridge Agent by executing the following command as the root user:
/opt/pbis/bin/lwsm status lsass
|If the result looks like this...||Do This|
|lsass is stopped||Restart the service.|
|lsass (pid 1783) is running...||Proceed to the next test.|
Check Communication between the AD Bridge Service and AD
Verify that the AD Bridge service can exchange data with AD by executing this command:
If the result does not show the name and IP address of your domain controller:
- Make sure the domain controller is online and operational.
- Check network connectivity between the client and the domain controller.
- Join the domain again.
- View log files.
If the result shows the correct domain controller name and IP address, proceed to the next test.
Verify that AD Bridge Can Find a User in Active Directory
Verify that the AD Bridge agent can find your user by executing the following command, substituting the name of a valid AD domain for domainName and a valid user for ADuserName:
/opt/pbis/bin/find-user-by-name domainName \\ ADuserName
If the command fails to find the user:
- Check whether the computer is joined to the domain by executing the following command as root:
This displays the hostname, current domain, and distinguished name, which includes the OU to which the computer belongs. Make sure the OU is correct. If the computer is not joined to a domain, it displays only the hostname.
- Check Active Directory to make sure the user has an account. If you are using AD Bridge, also ensure that the user is associated with the correct cell.
- Check whether the same user is in the /etc/passwd file. If necessary, migrate the user to Active Directory.
- Make sure the AD authentication provider is running by proceeding to the next test.
If the user is found, proceed to the PAM test later in this topic.
Make Sure the AD Authentication Provider Is Running
AD Bridge includes two authentication providers:
- the local provider
- the Active Directory provider
If the AD provider is not online, users are unable to log on with their AD credentials. To check the status of the authentication providers, execute the following command as root:
A healthy result should look like this:
LSA Server Status: Compiled daemon version: 10.0.561.63589 Packaged product version: 10.0.725.63590 Uptime: 6 days 23 hours 36 minutes 29 seconds [Authentication provider: lsa-activedirectory-provider] Status: Online Mode: Default Cell Domain: EXAMPLE.COM Domain SID: Forest: example.com Site: Default-First-Site-Name
An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication service.
For more information, please see Restart the Authentication Service.
If the result looks like the line below, check the status of the AD Bridge services to make sure they are running.
Failed to query status from LSA service. The LSASS server is not responding.
For more information, please see AD Bridge Enterprise Services and Status.
Run the id Command to Check the User
Run the following id command to check whether nsswitch is properly configured to handle AD user account information:
If the command does not show information for the user, check whether the /etc/nsswitch.conf file is properly configured for passwd and group: Both entries should include the lsass parameter.
If /etc/nsswitch.conf is properly configured, the AD Bridge name service libraries might be missing or misplaced. It is also possible that the LD_PRELOAD or LD_LIBRARY_PATH variables are defined without including the AD Bridge libraries.
Switch User to Check PAM
Verify that a user's password can be validated through PAM by using the switch user service. Either switch from a non-root user to a domain user or from root to a domain user. If you switch from root to a domain user, run the command below twice so that you are prompted for the domain user's password:
If the switch user command fails to validate the user:
- Generate a PAM debug log.
For more information, please see Generate a PAM Debug Log for AD Bridge.
- Also, check the following log files for error messages (the location of the log files varies by operating system):
Check whether you can log on with SSH by executing the following command:
If you believe the issue might be specific to SSH, please see Troubleshoot SSH SSO Login Problems.
Run the Authentication Service in Debug Mode
To troubleshoot the lookup of a user or group ID, you can set the AD Bridge authentication service to run in debug mode and show the log in the console by executing this command:
/opt/pbis/bin/lwsm set-log-level lsass - debug
Make sure /etc/nsswitch.conf is configured correctly to work with AD Bridge.
For more information, please see Configuring Clients Before Agent Installation in the AD Bridge Installation Guide.
On HP-UX, Escape Special Characters at the Console
When you log on to the console on some versions of HP-UX, such as 11.23, you might need to escape special characters, such as @ and #, by preceding them with a slash (\).
For more information, please see your HP-UX documentation.
Additional Diagnostic Tools
There are additional command-line utilities that you can use to troubleshoot logon problems in the /opt/pbis/bin directory:
For more information, please see Resolve an AD Alias Conflict with a Local Account.