Hi,
I have a problem I have been unable to solve and I'm at a loss. We use sssd on Debian 11 clients with active directory backend. We have 4 domain controllers running Windows Server 2022 in our environment. If any one of those domain controllers goes offline we experience intermittent authentication failures on the linux clients running sssd. It happens on some (but not all) clients and even on an affected client it can be intermittent (meaning sometimes authentication will work, sometimes it will not).
I have tried using the ad_server directive in sssd.conf to restrict the domain controllers the client will try to contact but it seems to have no effect. I have upped the verbosity level in the logs but I am bombarded with messages that I struggle to interpret. Is there someone here who can take a look and help me troubleshoot? I can provide any additional logs / config info upon request.
Here is some preliminary info: Client OS: Debian 11 SSSD version: 2.4.1
sssd.conf
[sssd] services = nss, pam config_file_version = 2 domains = AD.FINRCVGRP.COM
[domain/AD.FINRCVGRP.COM] debug_level=6 ad_server = frgdc2.ad.finrcvgrp.com,frgdc3.ad.finrcvgrp.com id_provider = ad cache_credentials = true access_provider = ad #access_provider = simple #simple_allow_groups = sasdev, dbdev
# Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so override_homedir = /home/%u override_shell = /bin/bash
# Uncomment if the client machine hostname doesn't match the computer object on the DC. # ad_hostnamemymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working # ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain # ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons. # enumerate = true