I am from AIX OS development team here in IBM. We have some customers
who are interested in running SSSD in AIX. So i basically invested
some amount of time to first build SSSD in AIX. I built the recent
version 1.16.3 after working around some build issues. Below is the
./configure --prefix=/opt/freeware --disable-cifs-idmap-plugin
--without-nfsv4-idmapd-plugin --disable-rpath --with-manpages=no
--without-python3-bindings --with-selinux=no --with-semanage=no
--with-crypto=libcrypto --without-secrets --without-kcm
I started the daemon but then it failed later with no stderr / logs
# /opt/freeware/sbin/sssd -i -d4
(1) root @ fvt-p7a2-lp16: /
I see it invokes two other child process which also failed
/opt/freeware/libexec/sssd/sssd_be --domain implicit_files --uid 0
--gid 0 -d 0x01f0 --logger=stderr
/opt/freeware/libexec/sssd/sssd_nss --uid 0 --gid 0 -d 0x01f0 --logger=stderr
Any help would be appreciated.
We need help debugging this issue.
For some servers we're experiencing over 10 second delay logging in with IPA user.
Since the issue isn't present everywhere we're finding it hard to debug.
SSSD config looks like this::
cache_credentials = true
krb5_store_password_if_offline = true
ipa_domain = hostname.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = hostname.com
chpass_provider = ipa
dyndns_update = True
ipa_server = ipa1-hostname, ipa2-hostname
dyndns_iface = eth0
dns_discovery_domain = hostname.com
debug_level = 9
services = nss, sudo, pam, ssh
domains = hostname.com
homedir_substring = /home
We're wondering if there's any obvious configurations we could apply above that would improve SSSD performance, and what exactly to look out for in sssd debug logs that would help us with our investigation.
Just a general question about the behaviour of sss_cache , is and ldapsearch.
Id will return say 8 groups and for the same user ldapsearch will return 10.
Now as long as if returns 8 apps report authentication denied because the user is not in an expected group. Now when we run sss_cache -E to invalidate the cache, id Will now return all 10 groups.
Now the group change was done days ago and our entry_cache_timeout is at default of 5400.
Why do we still need to run sss_cache -E if the timeout should take care of things? We are directly authenticated against AD via computer objects.
Just asking a general question as I’m curious how this works.
Sent from my iPhone
On Wed, Oct 31, 2018 at 08:20:55PM +0000, Jay McCanta wrote:
> Yes. Kinit -R renews the ticket (if it hasn't expired).
OK, can you attach a snippet of the logs? I thiknk the domain log and
the krb5_child.log are the most important.