I would start by gathering debugging during the time that the issue happens:

1. Add "debug_level = 9" to all sections [sssd], [domain], etc.
  # vi /etc/sssd/sssd.conf

2. Restart SSSD:
  # systemctl stop sssd ; rm -rf /var/log/sssd/* /var/lib/sss/{db,mc}/* ; systemctl start sssd

3. Replicate the issue.

4. Archive and upload logs to some location:
  # tar czvf /tmp/sssd-debug__$(hostname -s)__$(date +%F_%H%M%S).tar.gz /etc/{sssd,nsswitch*,krb5.conf,samba,pam.d} /var/log/{secure,messages,sssd}

Alternatively, you could also look into the logs alone (/var/log/sssd/sssd_example.com.log.  Try to find the location within the logs that correlates with the timestamp of when the issue happened and then diagnose from there.


On 05/04/2018 09:12 AM, Max DiOrio wrote:
Any thoughts?  This issue seems to be rippling through all our AD Domain Joined servers.  The group randomly goes missing and nobody can log into the server.  After some time, it eventually starts working again.

On Apr 24, 2018, at 9:08 AM, Max DiOrio <mdiorio@gmail.com> wrote:

We’re running SSSD 1.15.2

On Apr 23, 2018, at 6:29 PM, Lachlan Musicman <datakid@gmail.com> wrote:

On 24 April 2018 at 03:01, Max DiOrio <mdiorio@gmail.com> wrote:
So we are having issues with a couple servers where users suddenly won't be able to log in.  All our auth is done through AD and not a thing has changed.

On a working server, I can do 'id username' and get back the proper list of groups the user is a member of.

On the non-working server, 'id username' returns *mostly* the same list.  However the one group that the user needs to be a member to log in is missing.

There are some groups in both lists that that have a group ID, but not a group name.  And the one non-working server has a single group entry duplicated.  The results of 'id username' match throughout, except the noted areas below and a few entries that are listed out of order between the two.

Here are the differences "non-working" on top, "working" on bottom (gs-technology is the group in question that I need on the non-working server).  It doesn't make sense that 1002201991 is showing up twice in the list.  





Max, Which version of SSSD are you using, and which OS?


sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org

sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org