I am encountering issues while setting up a VNC server on a Rocky Linux 8 system integrated with Active Directory (AD) using SSSD. Here’s the setup and problem details:
Setup:
- Operating System : Rocky Linux 8
- VNC Server : TigerVNC
- AD Integration : AD is on separate machince windows domain controller
- The system is joined to an AD domain (
example.com
) usingrealm join
. - SSSD is configured as the authentication provider.
- Users authenticate with their AD credentials.
- VNC Configuration :
- A custom systemd service file (
/etc/systemd/system/vncserver@.service
) is used to start the VNC server for AD users. - The
User=%i
andGroup=vncusers
directives are used in the service file. - The
vncusers
group was created locally, and the AD useraduser
was added to this group usingusermod -aG vncusers aduser
.
Problem:
- The VNC service fails to start, with errors like:orInvalid user/group name or numeric ID. Accepting user/group name ‘vncusers’, which does not match strict user/group name rules.
- Commands like
id aduser
andgetent group vncusers
confirm that the AD user is part of thevncusers
group. - Despite correct SSSD and AD integration, the service does not recognize the group membership properly.
Steps Tried:
- Verified that
id aduser
shows correct group memberships, includingvncusers
. - Ensured the
/home/aduser/.vnc
directory and its contents have the correct ownership (aduser:vncusers
) and permissions. - Updated the
sssd.conf
file with configurations likeaccess_provider=ad
and restarted thesssd
service. - Cleared the SSSD cache with
sss_cache -E
. - Confirmed the service file configuration is valid and consistent.
Request:
What could be causing this issue with the VNC server and group recognition? Do I need to modify any additional SSSD settings, or is this related to the way the vncusers
group is handled locally versus in AD? Any guidance or troubleshooting steps would be greatly appreciated.
Important Notes:
- The actual domain and user/group names have been replaced with placeholders for privacy.
- I can provide more logs or details if needed.