do not join linux to active directory 2022 with sssd

gianse2000 · June 3, 2025, 4:01pm

I tried to join active directory 2022 but I always get the following error:

…

LANG=C /usr/sbin/adcli join --verbose --domain proxmox.chimica.unipd.it --domain-realm PROXMOX.CHIMICA.UNIPD.IT --domain-controller 192.168.20.2 --log

in-type user --login-user Administrator --stdin-password

Using domain name: proxmox.chimica.unipd.it
Calculated computer account name from fqdn: SSSD1
Using domain realm: proxmox.chimica.unipd.it
Sending NetLogon ping to domain controller: 192.168.20.2
Received NetLogon info from: WIN-IEBMIPOEJGG.proxmox.chimica.unipd.it
Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-rYdbxl/krb5.d/adcli-krb5-conf-jHlffv
Authenticated as user: Administrator@PROXMOX.CHIMICA.UNIPD.IT
Using GSS-SPNEGO for SASL bind

! Couldn’t authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information

(Cannot contact any KDC for realm ‘PROXMOX.CHIMICA.UNIPD.IT’)

adcli: couldn’t connect to proxmox.chimica.unipd.it domain: Couldn’t authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecif

ied GSS failure. Minor code may provide more information (Cannot contact any KDC for realm ‘PROXMOX.CHIMICA.UNIPD.IT’)

! Insufficient permissions to join the domain

realm: do not join to realm: Insufficient permissions to join the domain

eric_marcus · August 1, 2025, 3:01pm

Hi, just curious, did you resolve this problem? If so, how? Thanks

esanchezvela · August 1, 2025, 6:46pm

I would make sure the following tests return the kdc server’s ip address:

dig +short SRV _ldap._tcp.addomain.test
dig +short SRV _kerberos._tcp.addomain.test
dig +short SRV _kerberos._udp.addomain.test

Additionally, your client has access to the following ports in the kdc:

Source port -    Destination -    Protocol      - Service
1024:65535  -    53          -    TCP and UDP   - DNS
1024:65535  -    389         -    TCP and UDP   - LDAP
1024:65535  -    636         -    TCP           - LDAPS
1024:65535  -    88          -    TCP and UDP   - Kerberos
1024:65535  -    464         -    TCP and UDP   - Kerberos change/set password (kadmin)
1024:65535  -    3268        -    TCP           - LDAP Global Catalog (If "id_provider = ad" is being used)
1024:65535  -    3269        -    TCP           - LDAP Global Catalog SSL
1024:65535  -    123         -    UDP           - NTP (Optional)

The following 2 commands, test network connectivity to port 53 using tcp and udp.

# * DNS Ports
nc -zv adserver1.addomain.test 53
nc -zuv adserver1.addomain.test 53

gianse2000 · August 4, 2025, 10:38am

The problem was in the Proxmox virtualization system, and that’s strange. In SDN → Zones, I changed the MTU from 1500 to 1550, and it works now.

kPaws · August 10, 2025, 2:50am

why it broke at 1500

If Proxmox SDN was adding VXLAN (≈50 bytes overhead), your effective payload MTU became ~1450. Large Kerberos messages, especially with pre-authentication and SPNEGO negotiation, often exceed that, so they got fragmented — and many networks drop UDP fragments.

When you set MTU to 1550, you gave enough headroom to carry a full 1500-byte packet after SDN overhead, avoiding fragmentation.