On Wed, Feb 19, 2020 at 11:19:07PM -0500, Mark London wrote:
Hi all - Recently, about once a week, SSSD will stop working on our mail server (version 1.16.4, Redhat 7) will stop properly authenticating. I set the debug logging to 6, and here are the lines in our domain log (domain=PSFC), after which nothing else in that log appears, until SSSD is restarted:
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [be_resolve_server_process] (0x0200): Found address for server psfcdc2.psfc.mit.edu: [198.125.180.133] TTL 708 (Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldaps://psfcdc2.psfc.mit.edu' (Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting
Normally, the following lines should follow:
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configurati\ on,DC=psfc,DC=mit,DC=edu]
Any idea why it stopped at that point? Would it help to increase the debug level? (As an aside, sssd_nss.log and sssd_pam.log, do continue to output
Hi,
this sounds like https://pagure.io/SSSD/sssd/issue/2878. The fix is currently not included in RHEL-7, feel free to open a ticket at bugzilla.redhat.com to get it added.
HTH
bye, Sumit
lines, so SSSD hasn't crashed). Here is my SSSD.CONF file. Thanks! - Mark
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = PSFC
[nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 6
[pam] reconnection_retries = 3 debug_level = 6
[domain/PSFC] description = LDAP domain with AD server enumerate = false min_id = 501 cache_credentials = true debug_level = 6 ldap_purge_cache_timeout = 0 ldap_enumeration_refresh_timeout = 300 ldap_referrals = false id_provider = ldap chpass_provider = none auth_provider = ldap ldap_tls_reqcert = allow ldap_uri = ldaps://psfcdc1.psfc.mit.edu,ldaps://psfcdc2.psfc.mit.edu,ldaps://psfcdc3.psfc.mit.edu ldap_schema = rfc2307bis ldap_search_base = dc=psfc,dc=mit,dc=edu ldap_user_search_base = dc=psfc,dc=mit,dc=edu ldap_group_search_base = dc=psfc,dc=mit,dc=edu ldap_default_bind_dn = CN=ADldapreadonly,OU=Computer Group,OU=PSFC Users,DC=psfc,DC=mit,DC=edu ldap_default_authtok_type = password ldap_default_authtok = ldapread ldap_user_object_class = person ldap_user_name = sAMAccountName ldap_user_uid_number = msSFU30UidNumber ldap_user_gid_number = msSFU30GidNumber ldap_user_home_directory = msSFU30HomeDirectory ldap_user_shell = msSFU30LoginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_member = msSFU30PosixMember ldap_user_member_of = msSFU30PosixMemberOf ldap_group_name = name ldap_group_gid_number = msSFU30GidNumber ldap_force_upper_case_realm = True _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...