Solve Logon Problems on Linux or Unix

To troubleshoot problems logging on a Linux computer with Active Directory credentials after you joined the computer to a domain, perform the following series of diagnostic tests sequentially with a root account.

The tests can also be used to troubleshoot logon problems on a Unix computer. However, the syntax of the commands on Unix might be slightly different.

Make Sure You Are Joined to the Domain

Execute the following command:

/opt/pbis/bin/domainjoin-cli query

Check Whether You Are Using a Valid Logon Form

When troubleshooting a logon problem, use your full domain credentials: DOMAIN\username.

Example: example.com\hoenstiv

When logging on from the command line, you must escape the slash character with a slash character, making the logon form DOMAIN\\username.

Example: example.com\\hoenstiv

Clear the Cache

You may need to clear the cache to ensure that the client computer recognizes the user's ID.

For more information, see the AD Bridge Installation Guide.

Destroy the Kerberos Cache

Clear the AD Bridge Kerberos cache to make sure there is not an issue with a user's Kerberos tickets. Execute the following command with the user account that you are troubleshooting:

/opt/pbis/bin/kdestroy

Check the Status of the AD Bridge Authentication Service

Check the status of the authentication service on a Unix or Linux computer running the AD Bridge Agent by executing the following command as the root user:

/opt/pbis/bin/lwsm status lsass
If the result looks like this... Do This
lsass is stopped Restart the service.
lsass (pid 1783) is running... Proceed to the next test.

Check Communication between the AD Bridge Service and AD

Verify that the AD Bridge service can exchange data with AD by executing this command:

/opt/pbis/bin/get-dc-name FullDomainName
/opt/pbis/bin/get-dc-name example.com

If the result does not show the name and IP address of your domain controller:

  1. Make sure the domain controller is online and operational.
  2. Check network connectivity between the client and the domain controller.
  3. Join the domain again.
  4. View log files.

If the result shows the correct domain controller name and IP address, proceed to the next test.

Verify that AD Bridge Can Find a User in Active Directory

Verify that the AD Bridge agent can find your user by executing the following command, substituting the name of a valid AD domain for domainName and a valid user for ADuserName:

/opt/pbis/bin/find-user-by-name domainName \\ ADuserName
/opt/pbis/bin/find-user-by-name example\\hab

If the command fails to find the user:

  1. Check whether the computer is joined to the domain by executing the following command as root: 
    domainjoin-cli query

    This displays the hostname, current domain, and distinguished name, which includes the OU to which the computer belongs. Make sure the OU is correct. If the computer is not joined to a domain, it displays only the hostname.

  2. Check Active Directory to make sure the user has an account. If you are using AD Bridge, also ensure that the user is associated with the correct cell.
  3. Check whether the same user is in the /etc/passwd file. If necessary, migrate the user to Active Directory.
  4. Make sure the AD authentication provider is running by proceeding to the next test.

If the user is found, proceed to the PAM test later in this topic.

Make Sure the AD Authentication Provider Is Running

AD Bridge includes two authentication providers:

  • the local provider
  • the Active Directory provider

If the AD provider is not online, users are unable to log on with their AD credentials. To check the status of the authentication providers, execute the following command as root:

/opt/pbis/bin/get-status

A healthy result should look like this:

LSA Server Status:

Compiled daemon version: 10.1.561.63589
Packaged product version: 10.1.725.63590
Uptime:        6 days 23 hours 36 minutes 29 seconds

[Authentication provider: lsa-activedirectory-provider]

    Status:        Online
    Mode:          Default Cell
    Domain:        EXAMPLE.COM
    Domain SID:
    Forest:        example.com
    Site:          Default-First-Site-Name

An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication service.

For more information, see Restart the Authentication Service.

If the result looks like the line below, check the status of the AD Bridge services to make sure they are running.

Failed to query status from LSA service.
The LSASS server is not responding.

For more information, see AD Bridge Services and Status.

Run the id Command to Check the User

Run the following id command to check whether nsswitch is properly configured to handle AD user account information:

id DOMAIN\\username
id example\\kathy

If the command does not show information for the user, check whether the /etc/nsswitch.conf file is properly configured for passwd and group: Both entries should include the lsass parameter.

If /etc/nsswitch.conf is properly configured, the AD Bridge name service libraries might be missing or misplaced. It is also possible that the LD_PRELOAD or LD_LIBRARY_PATH variables are defined without including the AD Bridge libraries.

Switch User to Check PAM

Verify that a user's password can be validated through PAM by using the switch user service. Either switch from a non-root user to a domain user or from root to a domain user. If you switch from root to a domain user, run the command below twice so that you are prompted for the domain user's password:

su DOMAIN\\username
su example\\hoenstiv

If the switch user command fails to validate the user:

  • Generate a PAM debug log.

For more information, see Generate a PAM Debug Log for AD Bridge.

  • Also, check the following log files for error messages (the location of the log files varies by operating system):
    • /var/log/messages
    • /var/log/secure

Test SSH

Check whether you can log on with SSH by executing the following command:

ssh DOMAIN\\username@localhost
ssh example.com\\hoenstiv@localhost

If you believe the issue might be specific to SSH, see Troubleshoot SSH SSO Login Problems.

Run the Authentication Service in Debug Mode

To troubleshoot the lookup of a user or group ID, you can set the AD Bridge authentication service to run in debug mode and show the log in the console by executing this command:

/opt/pbis/bin/lwsm set-log-level lsass - debug

Check Nsswitch.Conf

Make sure /etc/nsswitch.conf is configured correctly to work with AD Bridge.

For more information, see Configuring Clients Before Agent Installation in the AD Bridge Installation Guide.

Additional Diagnostic Tools

There are additional command-line utilities that you can use to troubleshoot logon problems in the  /opt/pbis/bin directory:

For more information, see Resolve an AD Alias Conflict with a Local Account.

Red Hat Enterprise Linux 9 Fips Systems

If AD authentication fails, run the following command and then reboot the machine.

update-crypto-policies --set FIPS:AD-SUPPORT

This will allow AD authentication through the encryption types required by Active Directory.