SSSD Service Fails to Start After Joining Ubuntu to Active Directory: Missing /etc/krb5.keytab

Documentation of SSSD service failure on Ubuntu nodes after successful domain join, including errors like “krb5_kt_start_seq_get failed: Key table file ‘/etc/krb5.keytab’ not found” and fix involving PackageKit.
Categories:
Tags:

Overview

The System Security Services Daemon (SSSD) is a service that provides access to identity and authentication resources from remote directories, such as Active Directory. It enables Ubuntu systems to integrate with Windows domains for user authentication and authorization. SSSD handles tasks like caching credentials, offline support, and Kerberos ticket management.

This documentation addresses a common issue where the SSSD service fails to start on Ubuntu nodes, such as pxd-gitlab, despite the node successfully joining the domain. The root cause is often a missing package called PackageKit, which is a high-level package management tool that abstracts package installation across different backends (e.g., APT for Debian-based systems). PackageKit is required for certain SSSD dependencies and automatic package handling during domain joins.

Symptoms

Provisioning nodes like pxd-gitlab with Ansible fails on the Restart sssd handler:

RUNNING HANDLER [c2platform.core.linux : Restart sssd] *************************
fatal: [pxd-gitlab]: FAILED! =>
    changed: false
    msg: |-
        Unable to start service sssd: Job for sssd.service failed because the control process exited with error code.
        See "systemctl status sssd.service" and "journalctl -xeu sssd.service" for details.

The node successfully joined the domain, as verified with realm list and realm join C2.ORG:

vagrant@pxd-gitlab:~$ sudo su -
root@pxd-gitlab:~# realm list
c2.org
  type: kerberos
  realm-name: C2.ORG
  domain-name: c2.org
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins

root@pxd-gitlab:~# realm join C2.ORG
realm: Already joined to this domain

or

vagrant@pxd-gitlab:~$ echo "Supersecret!"  | realm join --user=tony C2.ORG
realm: Already joined to this domain

Inspecting the service with systemctl status sssd.service reveals that the keytab file /etc/krb5.keytab is missing:

vagrant@pxd-gitlab:~$ sudo  systemctl status sssd.service
× sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Tue 2026-02-10 10:56:45 UTC; 11s ago
    Process: 13970 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=1/FAILURE)
   Main PID: 13970 (code=exited, status=1/FAILURE)

Feb 10 10:56:45 pxd-gitlab sssd_be[13986]: krb5_kt_start_seq_get failed: Key table file '/etc/krb5.keytab' not found
Feb 10 10:56:45 pxd-gitlab sssd_be[13986]: krb5_kt_start_seq_get failed: Key table file '/etc/krb5.keytab' not found
Feb 10 10:56:45 pxd-gitlab sssd_be[13986]: krb5_kt_start_seq_get failed: Key table file '/etc/krb5.keytab' not found
Feb 10 10:56:45 pxd-gitlab sssd_be[13986]: krb5_kt_start_seq_get failed: Key table file '/etc/krb5.keytab' not found
Feb 10 10:56:45 pxd-gitlab sssd_be[13986]: krb5_kt_start_seq_get failed: Key table file '/etc/krb5.keytab' not found
Feb 10 10:56:45 pxd-gitlab sssd_be[13986]: Failed to read keytab [FILE:/etc/krb5.keytab]: No suitable principal found in keyt>
Feb 10 10:56:45 pxd-gitlab sssd[13970]: Exiting the SSSD. Could not restart critical service [c2.org].
Feb 10 10:56:45 pxd-gitlab systemd[1]: sssd.service: Main process exited, code=exited, status=1/FAILURE
Feb 10 10:56:45 pxd-gitlab systemd[1]: sssd.service: Failed with result 'exit-code'.
Feb 10 10:56:45 pxd-gitlab systemd[1]: Failed to start sssd.service - System Security Services Daemon.

Another symptom is that a similar configuration works on nodes like pxd-ubuntu-devtop, where the key difference is the presence of the ubuntu-desktop package, which includes PackageKit.

Additionally, logging into the pxd-ad node and checking Active Directory Users and Computers shows no Computer entry for pxd-gitlab. This occurs because the SSSD service is not functioning properly.

Review

The Ansible code responsible for executing the domain join command is:

 group_vars/ubuntu/ad.yml

138      type: shell
139      cmd: |
140        systemctl restart systemd-resolved sssd sshd
141        echo "{{ px_ad_admin_password }}" \
142        | realm join --user={{ px_ad_domain_name_admin }} {{ px_ad_domain_name | upper }}
143        touch /etc/domain_joined
144      label: >-
145        realm join --user={{ px_ad_domain_name_admin }} {{ px_ad_domain_name | upper }}
146      creates: /etc/domain_joined
147    - name: /etc/sssd/sssd.conf  # TODO C2-839

Fix

The root cause is the missing packagekit package, which is necessary for SSSD to handle certain dependencies during the domain join process. After adding this package to the Ansible configuration for Ubuntu provisioning nodes like pxd-gitlab, the setup works without issues.

 group_vars/ubuntu/ad.yml

 3bootstrap_packages:
 4  kerberos:
 5    - name:
 6        - realmd
 7        - sssd
 8        - sssd-ad
 9        - sssd-krb5
10        - krb5-user
11        - adcli
12        - policykit-1  # GUI? move to ubuntu_devtop?
13        - packagekit  # required for SSSD
14        - sssd-tools
15        - libnss-sss
16        - libpam-sss
17        - bind9-utils  # for nsupdate
18        - samba-common-bin  # for troubleshooting
19      type: os
Last modified February 16, 2026: howto phx ubuntu sssd packagekit PHX-526 PHX-528 PHX-24 PHX-527 (b2d30e6)