Hi all - Recently, about once a week, SSSD will stop working on our mail
server (version 1.16.4, Redhat 7) will stop properly authenticating. I
set the debug logging to 6, and here are the lines in our domain log
(domain=PSFC), after which nothing else in that log appears, until SSSD
is restarted:
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'LDAP'
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [be_resolve_server_process]
(0x0200): Found address for server
psfcdc2.psfc.mit.edu:
[198.125.180.133] TTL 708
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [sdap_uri_callback]
(0x0400): Constructed uri 'ldaps://psfcdc2.psfc.mit.edu'
(Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]]
[sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for
connecting
Normally, the following lines should follow:
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]]
[sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility
level to [6]
(Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]]
[sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at
[CN=Schema,CN=Configurati\
on,DC=psfc,DC=mit,DC=edu]
Any idea why it stopped at that point? Would it help to increase the
debug level? (As an aside, sssd_nss.log and sssd_pam.log, do continue
to output lines, so SSSD hasn't crashed). Here is my SSSD.CONF file.
Thanks! - Mark
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = PSFC
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 6
[pam]
reconnection_retries = 3
debug_level = 6
[domain/PSFC]
description = LDAP domain with AD server
enumerate = false
min_id = 501
cache_credentials = true
debug_level = 6
ldap_purge_cache_timeout = 0
ldap_enumeration_refresh_timeout = 300
ldap_referrals = false
id_provider = ldap
chpass_provider = none
auth_provider = ldap
ldap_tls_reqcert = allow
ldap_uri =
ldaps://psfcdc1.psfc.mit.edu,ldaps://psfcdc2.psfc.mit.edu,ldaps://psfcdc3...
ldap_schema = rfc2307bis
ldap_search_base = dc=psfc,dc=mit,dc=edu
ldap_user_search_base = dc=psfc,dc=mit,dc=edu
ldap_group_search_base = dc=psfc,dc=mit,dc=edu
ldap_default_bind_dn = CN=ADldapreadonly,OU=Computer Group,OU=PSFC
Users,DC=psfc,DC=mit,DC=edu
ldap_default_authtok_type = password
ldap_default_authtok = ldapread
ldap_user_object_class = person
ldap_user_name = sAMAccountName
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_member = msSFU30PosixMember
ldap_user_member_of = msSFU30PosixMemberOf
ldap_group_name = name
ldap_group_gid_number = msSFU30GidNumber
ldap_force_upper_case_realm = True