On 09/27/2016 06:47 PM, Richard Collins wrote:
Hi thanks for responding....
> The monitor_quit_signal function should only be called when the SSSD
> monitor process receives SIGINT or SIGTERM. It looks like you already
> have debug_level = 9 in the monitor section of sssd.conf, I would hope
> to see some useful more messages in /var/log/sssd/sssd.log around the
> same timeframe as above.
There's not a lot in /var/log/sssd/sssd.log around the time of the termination, just
the termination notifications. However I'll post the relevant excerpts when I get back
into the office tomorrow.
> If that is not the case, you could try running a systemtap script like
> the one here to determine if there is an unexpected script or process
> sending these signals:
Thanks for that - I was wondering how I would trace the sigkill
> You have 'filter_users = root' in the sssd.conf so these messages about
> 'root' should be expected. When the monitor shutdown is called it will
> terminate child processes which is why the NSS Responder gets shut down
I added the filter_users in the hope that it would ignore the root user requests - not
sure why there are so many requests for root? Adding this setting didn't change the
occurrence of the entries in the log so maybe doesn't do what I expected.
I believe this is inherent to the glibc initgroups library call which
will use all entries specified in the nsswitch.conf file meaning a root
login would be triggered into 'sss' and not just 'files'.
The 'filter_users = root' option will cut off processing this request
early in the NSS responder and keep it in the negative cache.
> For the most part this sssd.conf looks okay to me except for
> ldap_server = _srv_
> I could not find this option in the man page, it looks to be invalid or
This was in the config as I found it. It was originally configured by a third party and
I've picked up support for it. If this is unsupported then I'll remove it and see
if it has any impact.
A basic template for configuring sssd.conf with the LDAP provider is at
the following link(if the LDAP server is Active Directory then we
recommend using the AD provider)
> simple_allow_groups = sasi,sasadmin,sasmgt ldap_access_order = expire
> ldap_account_expire_policy = ad
> Are these three options each defined on the same line, or is it the
> email formatting that may have appended these to one line?
Email formatting - they are set correctly one per line in the config
I'll remove the ldap_server option and see how it goes
Yes, let us know how it goes.
> This document is strictly confidential and is intended for use by the addressee
unless otherwise indicated. Allied Irish Banks AIB and AIB Group are registered business
names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Central
Bank of Ireland. Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1
6600311; Registered in Ireland: Registered No. 24173. ~~~~~~~Please consider the
environment before printing this Email~~~~~~~~ This email has been scanned by an external
Email Security System. This Disclaimer has been generated by CMDis
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org