On (12/06/15 00:03), Jonathan Hunter wrote:
Hi,
I have what I believe is a minimal sssd.conf (running on CentOS 6.6)
that has previously worked fine without the line "ldap_id_mapping =
False".
I recently had to add rfc2307 attributes to AD (long story), and
therefore added the line "ldap_id_mapping = False" to my sssd.conf...
at which point sssd will now no longer start (it's fine if I remove
this line, but of course returns the wrong information).
Relevant log messages (obtained using 'sssd -i -d 0x03f0') might be these ones:
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[sdap_idmap_init] (0x0100): Initializing [1] domains for ID-mapping
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[sdap_idmap_add_domain] (0x0020): Could not add domain
[mydomain.my.tld] to the map: [11]
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[sdap_idmap_init] (0x0020): Could not add domain
[mydomain.my.tld][S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz][7091] to
ID map: [Input/output error]
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[load_backend_module] (0x0010): Error (5) in module (ad)
initialization (sssm_ad_id_init)!
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[be_process_init] (0x0010): fatal error initializing data providers
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]] [main]
(0x0010): Could not initialize backend [5]
(Thu Jun 11 23:55:11 2015) [sssd] [mt_svc_exit_handler] (0x0040):
Child [mydomain.my.tld] exited with code [3]
(Thu Jun 11 23:55:11 2015) [sssd] [mt_svc_exit_handler] (0x0010):
Process [mydomain.my.tld], definitely stopped!
My sssd.conf is:
[sssd]
config_file_version = 2
domains = mydomain.my.tld
services = nss, pam
[domain/mydomain.my.tld]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
What are the best troubleshooting steps I can take next?
man sssd-ldap -> ID MAPPING -> 3rd paragraph says:
Please note that changing the ID mapping related configuration options
will cause user and group IDs to change. At the moment, SSSD does not
support changing IDs, so the SSSD database must be removed. Because
cached passwords are also stored in the database, removing the database
should only be performed while the authentication servers are
reachable, otherwise users might get locked out. In order to cache the
password, an authentication must be performed. It is not sufficient to
use sss_cache(8) to remove the database, rather the process consists
of:
· Making sure the remote servers are reachable
· Stopping the SSSD service
· Removing the database
· Starting the SSSD service
LS