Trouble Setting Up TigerVNC with Active Directory Users via SSSD on Rocky Linux

I am encountering issues while setting up a VNC server on a Rocky Linux 8 system integrated with Active Directory (AD) using SSSD. Here’s the setup and problem details:

Setup:

  1. Operating System : Rocky Linux 8
  2. VNC Server : TigerVNC
  3. AD Integration : AD is on separate machince windows domain controller
  • The system is joined to an AD domain (example.com ) using realm join .
  • SSSD is configured as the authentication provider.
  • Users authenticate with their AD credentials.
  1. VNC Configuration :
  • A custom systemd service file (/etc/systemd/system/vncserver@.service ) is used to start the VNC server for AD users.
  • The User=%i and Group=vncusers directives are used in the service file.
  • The vncusers group was created locally, and the AD user aduser was added to this group using usermod -aG vncusers aduser .

Problem:

  1. The VNC service fails to start, with errors like:orInvalid user/group name or numeric ID. Accepting user/group name ‘vncusers’, which does not match strict user/group name rules.
  2. Commands like id aduser and getent group vncusers confirm that the AD user is part of the vncusers group.
  3. Despite correct SSSD and AD integration, the service does not recognize the group membership properly.

Steps Tried:

  1. Verified that id aduser shows correct group memberships, including vncusers .
  2. Ensured the /home/aduser/.vnc directory and its contents have the correct ownership (aduser:vncusers ) and permissions.
  3. Updated the sssd.conf file with configurations like access_provider=ad and restarted the sssd service.
  4. Cleared the SSSD cache with sss_cache -E .
  5. Confirmed the service file configuration is valid and consistent.

Request:

What could be causing this issue with the VNC server and group recognition? Do I need to modify any additional SSSD settings, or is this related to the way the vncusers group is handled locally versus in AD? Any guidance or troubleshooting steps would be greatly appreciated.

Important Notes:

  • The actual domain and user/group names have been replaced with placeholders for privacy.
  • I can provide more logs or details if needed.