Realm discover does not find AD/Kerberos domain

UCS - Univention Corporate Server
, ,
1

Hi all,

I’ve been struggling with an issue for a while now: running realm discover without explicitly specifying a REALM returns nothing, but this should work, right?

I need to call realm discover within a script for domain join, and it should automatically find the UCS environment on its own.

The discover should find the domain using the following DNS entries:

root ✗ lt001:/home/s.gehr dig _ldap._tcp.lan.example.com SRV
_ldap._tcp.lan.example.com. 900 IN SRV 0 100 389 srv01.lan.example.com.
srv01.lan.example.com. 900 IN A 192.168.83.5

root ✗ lt001:/home/s.gehr dig _kerberos._udp.lan.example.com SRV
_kerberos._udp.lan.example.com. 900 IN SRV 0 100 88 srv01.lan.example.com.
srv01.lan.example.com. 900 IN A 192.168.83.5

root ✗ lt001:/home/s.gehr dig _kerberos._tcp.lan.example.com SRV
_kerberos._tcp.lan.example.com. 900 IN SRV 0 100 88 srv01.lan.example.com.
srv01.lan.example.com. 900 IN A 192.168.83.5

So all information to find it is available. All necessary packages are installed:

root ✗ lt001:/home/s.gehr dpkg -l | egrep 'realmd|sssd|krb5-user'
ii  krb5-user       1.22.1-2
ii  realmd          0.17.1-3+b2
ii  sssd            2.11.1-2
ii  sssd-ad         2.11.1-2
ii  sssd-ad-common  2.11.1-2
ii  sssd-common     2.11.1-2
ii  sssd-dbus       2.11.1-2
ii  sssd-ipa        2.11.1-2
ii  sssd-krb5       2.11.1-2
ii  sssd-krb5-common 2.11.1-2
ii  sssd-ldap       2.11.1-2
ii  sssd-proxy      2.11.1-2
ii  sssd-tools      2.11.1-2

The resolver also returns correct data:

root ✗ lt001:/home/s.gehr resolvectl status
Global
         Protocols: +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 3 (wlan0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.83.5
       DNS Servers: 192.168.83.5
        DNS Domain: lan.example.com
     Default Route: yes

If I explicitly specify the AD/Kerberos domain, everything is shown correctly:

root ✗ lt001:/home/s.gehr realm discover LAN.EXAMPLE.COM
lan.example.com
  type: kerberos
  realm-name: LAN.EXAMPLE.COM
  domain-name: lan.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins

What am I missing here?

with best
sven