SSSD is used for the client side of IPA and other centralized Identity Management Services. Unfortunately it does not behave as it should. The default is to look up first IPv4 addresses and if that fails IPv6 should be used. Well, if IPv4 fails, the whole request fails and you got weird error messages when joining an IPA domain.
As the pool for IPv4 addresses is depleted, IPv6 is getting more and more important. Thus, IPv6-only hosts are on the rise.
Here is an example error message from the IPA client.
[root@ipv6host ~]# ipa-client-install [output ommited] SSSD enabled Configured /etc/openldap/ldap.conf Unable to find 'admin' user with 'getent passwd admin@example.com'! Unable to reliably detect configuration. Check NSS setup manually. [output ommited]
The host itself gets properly joined to the IPA domain and authentication works with Kerberos but you can not log in because SSSD fails.
Workaround
Configure SSSD to only use IPv6. This is done in /etc/sssd/sssd.conf
[domain/example.com] lookup_family_order = ipv6_only cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipv6host.example.com chpass_provider = ipa ipa_server = _srv_, ipa1.example.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh domains = example.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp]
Solution
At the moment there is no solution yet (just the workaround described), but its addressed at the SSSD project team, as you can see in https://pagure.io/SSSD/sssd/issue/2128 and https://bugzilla.redhat.com/show_bug.cgi?id=1021435
Happy IPv6-ing 🙂