On Wed, Feb 19, 2020 at 11:19:07PM -0500, Mark London wrote:
Hi all - Recently, about once a week, SSSD will stop working on our
mail
server (version 1.16.4, Redhat 7) will stop properly authenticating. I set
the debug logging to 6, and here are the lines in our domain log
(domain=PSFC), after which nothing else in that log appears, until SSSD is
restarted:
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'LDAP'
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [be_resolve_server_process]
(0x0200): Found address for server
psfcdc2.psfc.mit.edu: [198.125.180.133]
TTL 708
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [sdap_uri_callback] (0x0400):
Constructed uri 'ldaps://psfcdc2.psfc.mit.edu'
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [sssd_async_socket_init_send]
(0x0400): Setting 6 seconds timeout for connecting
Normally, the following lines should follow:
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] [sdap_get_generic_op_finished]
(0x0400): Search result: Success(0), no errmsg set
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]]
[sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level
to [6]
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]]
[sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at
[CN=Schema,CN=Configurati\
on,DC=psfc,DC=mit,DC=edu]
Any idea why it stopped at that point? Would it help to increase the debug
level? (As an aside, sssd_nss.log and sssd_pam.log, do continue to output
Hi,
this sounds like
https://pagure.io/SSSD/sssd/issue/2878. The fix is
currently not included in RHEL-7, feel free to open a ticket at
bugzilla.redhat.com to get it added.
HTH
bye,
Sumit
lines, so SSSD hasn't crashed). Here is my SSSD.CONF file.
Thanks! - Mark
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = PSFC
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 6
[pam]
reconnection_retries = 3
debug_level = 6
[domain/PSFC]
description = LDAP domain with AD server
enumerate = false
min_id = 501
cache_credentials = true
debug_level = 6
ldap_purge_cache_timeout = 0
ldap_enumeration_refresh_timeout = 300
ldap_referrals = false
id_provider = ldap
chpass_provider = none
auth_provider = ldap
ldap_tls_reqcert = allow
ldap_uri =
ldaps://psfcdc1.psfc.mit.edu,ldaps://psfcdc2.psfc.mit.edu,ldaps://psfcdc3...
ldap_schema = rfc2307bis
ldap_search_base = dc=psfc,dc=mit,dc=edu
ldap_user_search_base = dc=psfc,dc=mit,dc=edu
ldap_group_search_base = dc=psfc,dc=mit,dc=edu
ldap_default_bind_dn = CN=ADldapreadonly,OU=Computer Group,OU=PSFC
Users,DC=psfc,DC=mit,DC=edu
ldap_default_authtok_type = password
ldap_default_authtok = ldapread
ldap_user_object_class = person
ldap_user_name = sAMAccountName
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_member = msSFU30PosixMember
ldap_user_member_of = msSFU30PosixMemberOf
ldap_group_name = name
ldap_group_gid_number = msSFU30GidNumber
ldap_force_upper_case_realm = True
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...