On Thu, Mar 02, 2017 at 10:20:53PM -0500, Michael Smith wrote:
Hi all,
I've been using sssd with AD on Ubuntu 16.04 for several months (sssd 1.13.4). I've joined probably a few dozen VMs to a domain. More often than not, /var/lib/sss/pipes/ssh is not created right away after joining, and the dynamic DNS registration with nsupdate doesn't happen. There are no errors in /var/log/sssd/*; sssd_ssh just doesn't run, and dyndns doesn't happen either.
I can reboot or restart sssd as many times as I like and it won't fix it. But as soon as I would bump up the debuglevel in /etc/sssd/sssd.conf and "systemctl restart sssd", everything would work.
The only explanation I have is that 'something', either some join script or whatever is used updates sssd.conf after sssd is started. The way sssd reads its configuration is that on sssd startup, we check the timestamp of sssd.conf, compare it with the timestamp of sssd's internal configuration database (/var/lib/sss/db/config.ldb) and if sssd.conf is newer, sssd regenerates the configuration database.
And perhaps the problem is that the resolution of the timestamp is only down to seconds, so if you update the config file on the same second as the last restart, sssd migth not detect the config file was changed?
Eventually I figured out that it wasn't dependent on the debug level at all
- if I just touch /etc/sssd/sssd.conf to update the timestamp, and restart
sssd, that's enough to fix it.
The next time I join a machine I'll start with debuglevel set to 9. In the meantime, is there anything that could explain this behaviour: the sshd integration and dyndns registration don't work until (1) the domain is joined and (2) sssd.conf's mtime is changed?
Thanks, Mike
sssd.conf:
[domain/my.domain] access_provider = ad ad_domain = my.domain ad_gpo_access_control = disabled ad_hostname = myhostname.my.domain cache_credentials = False debug_level = 3 default_shell = /bin/bash dns_resolver_timeout = 30 dyndns_refresh_interval = 28800 dyndns_update = True dyndns_update_ptr = True entry_cache_timeout = 120 fallback_homedir = /home/%u id_provider = ad krb5_realm = MY.DOMAIN krb5_store_password_if_offline = False ldap_access_filter = (memberOf:1.2.840.113556.1.4.1941:=cn=somegroup,ou=Groups,ou=xxx,dc=my,dc=domain) ldap_group_nesting_level = 2 ldap_id_mapping = True ldap_schema = ad ldap_user_ssh_public_key = sshPublicKey memcache_timeout = 120 use_fully_qualified_names = False
[nss] filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd,centos,ubuntu
[ssh]
[sssd] config_file_version = 2 domains = my.domain services = nss,pam,ssh
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org