Amazon EC2 Linux instance domain join errors
The following can help you troubleshoot some error messages you might encounter when joining an Amazon EC2 Linux instance to your Amazon Managed Microsoft AD directory.
Linux instances unable to join domain or authenticate
Ubuntu 14.04, 16.04, and 18.04 instances must be reverse-resolvable in the DNS before a realm can work with Microsoft Active Directory. Otherwise, you might encounter one of the following two scenarios:
Scenario 1: Ubuntu instances that are not yet joined to a realm
For Ubuntu instances that are attempting to join a realm, the sudo realm
join
command might not provide the required permissions to join the domain and
might display the following error:
! Couldn't authenticate to active directory: SASL(-1): generic
failure: GSSAPI Error: An invalid name was supplied (Success) adcli: couldn't connect to
EXAMPLE.COM domain: Couldn't authenticate to active directory: SASL(-1): generic failure:
GSSAPI Error: An invalid name was supplied (Success) ! Insufficient permissions to join
the domain realm: Couldn't join realm: Insufficient permissions to join the
domain
Scenario 2: Ubuntu instances that are joined to a realm
For Ubuntu instances that are already joined to a Microsoft Active Directory domain, attempts to SSH into the instance using the domain credentials might fail with following errors:
$ ssh admin@EXAMPLE.COM@198.51.100
no such identity: /Users/username/.ssh/id_ed25519: No such file or directory
admin@EXAMPLE.COM@198.51.100's password:
Permission denied, please try again.
admin@EXAMPLE.COM@198.51.100's password:
If you log in to the instance with a public key and check
/var/log/auth.log
, you might see the following errors about being
unable to find the user:
May 12 01:02:12 ip-192-0-2-0 sshd[2251]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.0
May
12 01:02:12 ip-192-0-2-0 sshd[2251]: pam_sss(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.0 user=admin@EXAMPLE.COM
May 12
01:02:12 ip-192-0-2-0 sshd[2251]: pam_sss(sshd:auth): received for user
admin@EXAMPLE.COM: 10 (User not known to the underlying authentication module)
May
12 01:02:14 ip-192-0-2-0 sshd[2251]: Failed password for invalid user
admin@EXAMPLE.COM from 203.0.113.0 port 13344 ssh2
May 12 01:02:15 ip-192-0-2-0
sshd[2251]: Connection closed by 203.0.113.0 [preauth]
However, kinit
for the user still works. See this example:
ubuntu@ip-192-0-2-0:~$ kinit admin@EXAMPLE.COM Password for
admin@EXAMPLE.COM: ubuntu@ip-192-0-2-0:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: admin@EXAMPLE.COM
Workaround
The current recommended workaround for both of these scenarios is to disable reverse DNS
in /etc/krb5.conf
in the [libdefaults] section as shown below:
[libdefaults] default_realm = EXAMPLE.COM rdns = false
One-way trust authentication issue with seamless domain join
If you have a one-way outgoing trust established between your Amazon Managed Microsoft AD and your on-premises Active Directory, you might encounter an authentication issue when attempting to authenticate against the domain joined Linux instance using your trusted Active Directory credentials with Winbind.
Errors
Jul 31 00:00:00 EC2AMAZ-LSMWqT sshd[23832]: Failed password for
user@corp.example.com from xxx.xxx.xxx.xxx port 18309 ssh2
Jul 31 00:05:00 EC2AMAZ-LSMWqT sshd[23832]: pam_winbind(sshd:auth): getting
password (0x00000390)
Jul 31 00:05:00 EC2AMAZ-LSMWqT sshd[23832]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jul 31 00:05:00 EC2AMAZ-LSMWqT sshd[23832]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS:
**NT_STATUS_OBJECT_NAME_NOT_FOUND**, Error message was: The object name is not
found.
Jul 31 00:05:00 EC2AMAZ-LSMWqT sshd[23832]: pam_winbind(sshd:auth): internal
module error (retval = PAM_SYSTEM_ERR(4), user = 'CORP\user')
Workaround
To resolve this issue, you will need to comment out or remove a directive from the PAM
module configuration file (/etc/security/pam_winbind.conf
) using the
following steps.
-
Open the
/etc/security/pam_winbind.conf
file in a text editor.sudo vim /etc/security/pam_winbind.conf
-
Comment out or remove the following directive krb5_auth = yes.
[global] cached_login = yes krb5_ccache_type = FILE #krb5_auth = yes
-
Stop the Winbind service, and then start it again.
service winbind stop or systemctl stop winbind net cache flush service winbind start or systemctl start winbind