Summary. dig information is also correct. By removing the ldap_user_principal = userPrincipalName line, SSSD used the default realm set by the krb5_realm parameter, which was LABS.EXAMPLE.COM, and the problem went away. Common Kerberos Error Messages (A-M) - Oracle Help Center In normal operation, SSSD uses the machine's own account to access the directory, using credentials from /etc/krb5.keytab to acquire tickets for LDAP access . Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! SSSD "KDC has no support for encryption ... - Stack Overflow Unfortunately, CentOS8 does not join the domain, even when i manually give it most of the information required. kpasswd fails when using sssd and kadmin server != kdc server #2065 Lines beginning with a # is what you would see if you did not use debug. How to Integrate RHEL 7 or CentOS 7 with Windows Active Directory 0) Make sure that /etc/hosts and /etc/hostname files contain addresses and names according with your credentials provided by your domain admin. You basically need two components to connect a RHEL system to Active Directory (AD). KerberosAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM no Step:2 Now Join Windows Domain or Integrate with AD using realm command. Enter passwords Actual results: "kpasswd: Cannot contact any KDC for requested realm changing password" Expected results: kpasswd sends a change password request to the kadmin server. User authorized to enroll computers: admin Password for admin@IPA.TEST: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.TEST Issuer: CN=Certificate Authority,O=IPA.TEST Valid From: 2017-04-27 11:02:28 Valid Until: 2037-04-27 11:02:28 Enrolled in IPA realm IPA.TEST Created /etc/ipa/default.conf New SSSD config will be . Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] If you look at the attached logs, you can see it is going to the correct dns server. Title Authentication Services "error = Cannot contact any KDC for requested realm" Description The example given is with the debug switch (-d5) enabled, which provides more detailed error information. If you head to OS section of the website you'll notice that openSUSE is absent, while all the others mainstream options Debian, Ubuntu, Fedora and Arch are present, and I know that openSUSE is also noteworthy to be included as privacy . Automatic installation of the packages required to join the system to the domain. SSSD stands for System Security Services Daemon and it's actually a collection of daemons that handle authentication, authorization, and user and group information from a variety of network sources. Additional info: kpasswd is looking . Cannot contact any KDC for realm (sssd) · Issue #5382 - GitHub subdomain_inherit = ldap_user_principal ldap_user_principal = nosuchattr Thanks, -Raj AT Newbie 5 points 10 June 2020 12:40 AM When krb5.conf is configured to authenticate through an HTTPS proxy while no internet connection is available, sssd promptly fails even though cache_credentials is enabled: Aug 11 23:04:43 [redacted] [sssd[krb5_child[1669]]][1669]: Cannot contact any KDC for requested realm Aug 11 23:04:43 [redacted] [sssd[krb5_child[1668]]][1668]: Unknown code .