Unable to ssh using AD credentials

My AD (Debian) is functioning and I am able to ssh with another Debian domain member but I can’t seem to get the settings right for Fedora. The Fedora server is able to join the domain but it doesn’t allow an AD user to log on or ssh. Here are the settings that work on Debian and are currently on my Fedora domain member.

cat /etc/samba/smb.conf

[global]
   workgroup = HOME
   security = ADS
   realm = HOME.TEST-SERVER.LAN

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   winbind use default domain = yes

   idmap config * : backend = autorid
   idmap config * : range = 10000-24999999

   template shell = /bin/bash
   template homedir = /home/HOME/%U

   username map = /etc/samba/user.map

cat /etc/krb5.conf

[libdefaults]
	default_realm = HOME.TEST-SERVER.LAN
	dns_lookup_realm = false
	dns_lookup_kdc = false
	renew_lifetime = 7d

[realms]
    HOME.TEST-SERVER.LAN = {
        auth_to_local = RULE:[1:HOME\$1]
	admin_server = DC01.HOME.TEST-SERVER.LAN
	kdc = DC01.HOME.TEST-SERVER.LAN
    }
[domain_realm]
	.home.test-server.lan = HOME.TEST-SERVER.LAN

cat /etc/ssh/sshd_config | egrep -v ‘^#|^$’

Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server
       # It's best to limit this option to only trusted hosts:
	
   # It's best to limit this option to only trusted hosts:

cat /etc/ssh/ssh_config | egrep -v ‘^#|^$’

Include /etc/ssh/ssh_config.d/*.conf
Host *
   PasswordAuthentication yes
   GSSAPIAuthentication yes
   GSSAPIKeyExchange yes
   GSSAPITrustDNS yes
   SendEnv LANG LC_*
   HashKnownHosts yes
   GSSAPIRenewalForcesRekey yes
   GSSAPITrustDns yes
Host *.home.test-server.lan
   # It's best to limit this option to only trusted hosts:
   GSSAPIDelegateCredentials yes

cat /etc/nsswitch.conf | egrep -v ‘^#|^$’

passwd:     sss files winbind systemd
group:      sss files winbind systemd
netgroup:   sss files
automount:  sss files
services:   sss files
shadow:     files
hosts:      files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

audit.log from Debian domain member

Oct 30 12:30:01 dm01 CRON[2665]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Oct 30 12:30:01 dm01 CRON[2665]: pam_unix(cron:session): session closed for user root
Oct 30 13:09:54 dm01 sshd[2729]: pam_krb5(sshd:auth): (user redhat) krb5_kuserok for user redhat failed
Oct 30 13:09:54 dm01 sshd[2729]: pam_krb5(sshd:auth): failed authorization check; logname=redhat uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.19
Oct 30 13:09:54 dm01 sshd[2729]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.19 user=redhat
Oct 30 13:09:54 dm01 sshd[2729]: pam_winbind(sshd:auth): getting password (0x00000388)
Oct 30 13:09:54 dm01 sshd[2729]: pam_winbind(sshd:auth): pam_get_item returned a password
Oct 30 13:09:59 dm01 sshd[2729]: pam_winbind(sshd:auth): user ‘redhat’ granted access
Oct 30 13:10:02 dm01 sshd[2729]: Accepted password for redhat from 10.0.0.19 port 35748 ssh2
Oct 30 13:10:02 dm01 sshd[2729]: pam_unix(sshd:session): session opened for user redhat(uid=111104) by (uid=0)
Oct 30 13:10:02 dm01 systemd-logind[725]: New session 9 of user redhat.
Oct 30 13:10:02 dm01 systemd: pam_unix(systemd-user:session): session opened for user redhat(uid=111104) by (uid=0)
Oct 30 13:10:02 dm01 gnome-keyring-daemon[2829]: couldn’t access control socket: /run/user/111104/keyring/control: No such file or directory

audit.log from Fedora domain member

type=CRYPTO_KEY_USER msg=audit(1635613921.401:2379): pid=37135 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA… direction=? spid=37135 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success’UID=“root” AUID=“unset” SUID=“root”
type=CRYPTO_SESSION msg=audit(1635613921.404:2380): pid=37134 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256 spid=37135 suid=74 rport=35032 laddr=10.0.0.17 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.0.0.19 terminal=? res=success’UID=“root” AUID=“unset” SUID=“sshd”
type=CRYPTO_SESSION msg=audit(1635613921.406:2381): pid=37134 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256 spid=37135 suid=74 rport=35032 laddr=10.0.0.17 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.0.0.19 terminal=? res=success’UID=“root” AUID=“unset” SUID=“sshd”
type=USER_AUTH msg=audit(1635613930.491:2382): pid=37134 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct=“redhat” exe="/usr/sbin/sshd" hostname=10.0.0.19 addr=10.0.0.19 terminal=ssh res=failed’UID=“root” AUID=“unset”

Verify that domain users/groups are listed, and you can log in as a domain user:

wbinfo --domain-users
wbinfo --domain-groups
getent passwd user_name
getent group group_name
id user_name
su - user_name

Be sure that domain/local user/group namespaces don’t overlap.
Also check with SELinux switched to permissive mode.

[Sat Oct 30 15:16:18] [root@fsdm01/etc/pam.d$] wbinfo --domain-users

redhat
administrator
guest
testuser
krbtgt
tester

[Sat Oct 30 15:16:30] [root@fsdm01/etc/pam.d$] wbinfo --domain-users

redhat
administrator
guest
testuser
krbtgt
tester

[Sat Oct 30 15:16:36] [root@fsdm01/etc/pam.d$] wbinfo --domain-groups

enterprise admins
domain users
group policy creator owners
ras and ias servers
domain controllers
enterprise read-only domain controllers
allowed rodc password replication group
denied rodc password replication group
schema admins
domain guests
dnsupdateproxy
read-only domain controllers
domain computers
dnsadmins
cert publishers
domain admins

[Sat Oct 30 15:16:44] [root@fsdm01/etc/pam.d$] getent passwd tester

tester:*:111106:110513::/home/HOME/tester:/bin/bash
[Sat Oct 30 15:16:54] [root@fsdm01/etc/pam.d$] getent group "domain users"
domain users:x:110513:

[Sat Oct 30 15:17:06] [root@fsdm01/etc/pam.d$] id testuser

uid=111105(testuser) gid=110513(domain users) groups=110513(domain users),111105(testuser),10001(BUILTIN\users)
[Sat Oct 30 15:17:12] [root@fsdm01/etc/pam.d$] su - testuser
su: warning: cannot change directory to /home/HOME/testuser: No such file or directory

[testuser@fsdm01 pam.d]$ exit

logout

[Sat Oct 30 15:17:40] [root@fsdm01/etc/pam.d$] authconfig --enablemkhomedir --update

Running authconfig compatibility tool.
The purpose of this tool is to enable authentication against chosen services with authselect and minimum configuration. It does not provide all capabilities of authconfig.

IMPORTANT: authconfig is replaced by authselect, please update your scripts.
See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault
See man authselect-migration(7) to help you with migration to authselect

Executing: /usr/bin/authselect check
Executing: /usr/bin/authselect select sssd with-mkhomedir --force
Executing: /usr/bin/systemctl enable oddjobd.service
Executing: /usr/bin/systemctl stop oddjobd.service
Executing: /usr/bin/systemctl start oddjobd.service

[Sat Oct 30 15:18:23] [root@fsdm01/etc/pam.d$] su - testuser

su: user testuser does not exist or the user entry does not contain all the required fields

I updaed nsswitch.conf

[Sat Oct 30 20:04:07] [root@fsdm01/etc/pam.d$] cat /etc/nsswitch.conf | egrep -v ‘^$|^#’

passwd:     sss files winbind systemd
group:      sss files winbind systemd
netgroup:   sss files
automount:  sss files
services:   sss files
shadow:     files
hosts:      files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

[Sat Oct 30 20:04:34] [root@fsdm01/etc/pam.d$] su - redhat

Last login: Sat Oct 30 20:01:59 EDT 2021 on pts/1
Last failed login: Sat Oct 30 20:03:12 EDT 2021 from 10.0.0.19 on ssh:notty
There were 2 failed login attempts since the last successful login.

[redhat@fsdm01 ~]$ exit

logout

[Sat Oct 30 20:05:00] [root@fsdm01/etc/pam.d$] ssh redhat@localhost

redhat@localhost's password: 
Permission denied, please try again.
redhat@localhost's password: 

[Sat Oct 30 20:05:14] [root@fsdm01/etc/pam.d$] ssh redhat@fsdm01

The authenticity of host 'fsdm01 (10.0.0.17)' can't be established.
ED25519 key fingerprint is SHA256:P6OdlFJX1UOx7WcHd2LbBYAQG7BXq3dWiLgq8u8+03M.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'fsdm01' (ED25519) to the list of known hosts.
redhat@fsdm01's password: 
Permission denied, please try again.
redhat@fsdm01's password: 

[Sat Oct 30 20:08:20] [root@fsdm01/etc/pam.d$] getenforce
Permissive