[SSSD-users] SSSD / PAM / LDAP problem.

Wednesday, 19 February 2020

Hi all - Recently, about once a week, SSSD will stop working on our mail 
server (version 1.16.4, Redhat 7) will stop properly authenticating.   I 
set the debug logging to 6, and here are the lines in our domain log 
(domain=PSFC), after which nothing else in that log appears, until SSSD 
is restarted:

(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [fo_resolve_service_send] 
(0x0100): Trying to resolve service 'LDAP'
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [be_resolve_server_process] 
(0x0200): Found address for server psfcdc2.psfc.mit.edu: 
[198.125.180.133] TTL 708
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [sdap_uri_callback] 
(0x0400): Constructed uri 'ldaps://psfcdc2.psfc.mit.edu'
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] 
[sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for 
connecting

Normally, the following lines should follow:

(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] [sdap_get_generic_ext_step] 
(0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] 
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no 
errmsg set
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] 
[sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility 
level to [6]
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] 
[sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at 
[CN=Schema,CN=Configurati\
on,DC=psfc,DC=mit,DC=edu]

Any idea why it stopped at that point?   Would it help to increase the 
debug level?   (As an aside, sssd_nss.log and sssd_pam.log, do continue 
to output lines, so SSSD hasn't crashed).  Here is my SSSD.CONF file.   
Thanks! - Mark

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = PSFC

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 6

[pam]
reconnection_retries = 3
debug_level = 6

[domain/PSFC]
  description = LDAP domain with AD server
  enumerate = false
  min_id = 501
  cache_credentials = true
  debug_level = 6
  ldap_purge_cache_timeout = 0
  ldap_enumeration_refresh_timeout = 300
  ldap_referrals = false
  id_provider = ldap
  chpass_provider = none
  auth_provider = ldap
  ldap_tls_reqcert = allow
  ldap_uri = 
ldaps://psfcdc1.psfc.mit.edu,ldaps://psfcdc2.psfc.mit.edu,ldaps://psfcdc3...
  ldap_schema = rfc2307bis
  ldap_search_base = dc=psfc,dc=mit,dc=edu
  ldap_user_search_base = dc=psfc,dc=mit,dc=edu
  ldap_group_search_base = dc=psfc,dc=mit,dc=edu
  ldap_default_bind_dn = CN=ADldapreadonly,OU=Computer Group,OU=PSFC 
Users,DC=psfc,DC=mit,DC=edu
  ldap_default_authtok_type = password
  ldap_default_authtok = ldapread
  ldap_user_object_class = person
  ldap_user_name = sAMAccountName
  ldap_user_uid_number = msSFU30UidNumber
  ldap_user_gid_number = msSFU30GidNumber
  ldap_user_home_directory = msSFU30HomeDirectory
  ldap_user_shell = msSFU30LoginShell
  ldap_user_principal = userPrincipalName
  ldap_group_object_class = group
  ldap_group_member = msSFU30PosixMember
  ldap_user_member_of = msSFU30PosixMemberOf
  ldap_group_name = name
  ldap_group_gid_number = msSFU30GidNumber
  ldap_force_upper_case_realm = True

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

[SSSD-users] SSSD / PAM / LDAP problem.