On 3 April 2018 at 20:15, Jakub Hrozek <jhrozek@redhat.com> wrote:


> On 3 Apr 2018, at 02:24, Lachlan Musicman <datakid@gmail.com> wrote:
>
> On 3 April 2018 at 08:23, Lachlan Musicman <datakid@gmail.com> wrote:
> On 29 March 2018 at 20:23, Valentin Fischer <valentin@servergeek.at> wrote:
> Permission issue.
>
> Reinstall sssd-common
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/IMP4NFXOW6RPKB2GIU4WXKLY54CTJG6A/
>
>
> fails with the same errors as reported initially. So running manually in interactive mode works, but starting via systemctl doesn’t

One difference I can think of between running the deamon on the foreground versus running as a service is SELinux context. Did you check if maybe there are some AVC denials if you run sssd as a service?


I'll check the denials - I'm not fully up to speed on AVC denials and selinux, but some googling suggested this command

# ausearch -m avc -c sssd
<no matches>


Here's the sssd config

[domain/unixdev.mycompany.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = unixdev.mycompany.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = vmts-linuxclient1.unixdev.mycompany.com
chpass_provider = ipa
ipa_server = _srv_, vmdv-linuxidm1.unixdev.mycompany.com
ldap_tls_cacert = /etc/ipa/ca.crt
selinux_provider = none
krb5_auth_timeout = 15
debug_level = 7

[domain/unixdev.mycompany.com/mycompany.com]
use_fully_qualified_names = False

[sssd]
config_file_version = 2
services = nss, sudo, pam, ssh
domains = unixdev.mycompany.com
debug_level = 7
domain_resolution_order = unix.mycompany.com,mycompany.com
full_name_format = %1$s

[nss]
homedir_substring = /home
memcache_timeout = 800
debug_level = 7
enum_cache_timeout = 240
entry_cache_nowait_percentage = 75

[pam]
pam_id_timeout = 15
debug_level = 7

[ssh]
debug_level = 7