Cant log into rocky8.7 with domain credentials

I cant log into my rockylinux 8.7 build with my samba4 domain user credentials.
If i ssh as root and then su as my user then its fine. I can see my automounts from the domain fine.
The system joins the domain correctly with adcli join

The sssd service is running . But I see update failed:NOTAUTH

sssd.conf file is
domains =
config_file_version = 2
services = nss, pam, autofs
default_domain_suffix =

ad_domain =
realmd_tags = manages-system joined-with-samba
#cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
full_name_format = %1$s


This sssd config works fine on centos7.9. What could have changed?

You may want to try using realm join instead of adcli. It could easily fill in the pieces that you are missing. realm will make changes you need while adcli does not (for example changes to pam, nsswitch, a starting sssd.conf).

If you find that it is still not working after, you need to put sssd into debug mode and investigate further. See here.

that just says
realm: Already joined to this domain
Please check
Basic Prechecks Steps: RHEL Join With Active Directory using 'adcli', 'realm' and 'net' commands - Red Hat Customer Portal
to get help for common issues.

I disjoined the domain and re joined using realm and this time my terminal cursor started display my login with the workstations fullly qualified name rather than short name.

Im rebooting to see after realm join will it work after reboot.

ran this command
authselect select -f sssd
In: etc/pam.d/system-auth
adds 1

session [success=1 default=ignore] service in crond quiet use_uid

I can now login with my domain users

I can login fine with my domain user account but I still notice in the service status for sssd. I see

update failed: NOTAUTH
update failed: NOTAUTH
update failed: NOTAUTH
update failed: NOTAUTH

I did notice when a user is logged in for some some it shows at GSSAPI client step 1 three times under update failed: NOTAUTH.

adcli[14056]: GSSAPI client step 1

Why don’t you do realm join with a stock sssd configure and then change it once you are able to login.
Also, you may need to login using or something similar

That is to much work. I need it all automated so that when a user sitsc in front of a system they don’t need to faff around with changing usernames from fully qualified to shortform. I wantv to be able to just kickstart it and at the end the user sits in frontb of the system and logs in.