On (19/04/16 13:02), Jeff White wrote:
I have ~80 CentOS 7 machines which use sssd and are joined to Active
Directory. On two systems sssd fails to start and the logs are unclear
("Could not add domain [
ad.example.edu] to the map"). I re-installed sssd,
removed the existing keytab and re-joined the machine to Active Directory,
etc. but sssd still fails to start. How can I determine what is wrong?
--
Jeff White
HPC Systems Engineer
Information Technology Services - WSU
(Tue Apr 19 12:28:49 2016) [sssd[be[ad.example.edu]]]
[ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it
later, when connecting to the LDAP server.
(Tue Apr 19 12:28:49 2016) [sssd[be[ad.example.edu]]] [common_parse_search_base] (0x0100):
Search base added: [GROUP][OU=HPC,OU=RBAC,OU=Groups,OU=Information
Services,OU=EXAMPLE,DC=ad,DC=example,DC=edu][SUBTREE][]
(Tue Apr 19 12:28:49 2016) [sssd[be[ad.example.edu]]] [common_parse_search_base] (0x0100):
Search base added: [NETGROUP][OU=HPC,OU=RBAC,OU=Groups,OU=Information
Services,OU=EXAMPLE,DC=ad,DC=example,DC=edu][SUBTREE][]
(Tue Apr 19 12:28:49 2016) [sssd[be[ad.example.edu]]] [sdap_id_setup_tasks] (0x0400):
Setting up cleanup task for
ad.example.edu
(Tue Apr 19 12:28:49 2016) [sssd[be[ad.example.edu]]] [sdap_idmap_init] (0x0100):
Initializing [3] domains for ID-mapping
(Tue Apr 19 12:28:49 2016) [sssd[be[ad.example.edu]]] [sdap_idmap_add_domain] (0x0020):
Could not add domain [
ad.example.edu] to the map: [11]
(Tue Apr 19 12:28:49 2016) [sssd[be[ad.example.edu]]] [sdap_idmap_init] (0x0020): Could
not add domain [ad.example.edu][S-1-5-21-861567501-115176313-682003330][9944] to ID map:
[Input/output error]
(Tue Apr 19 12:28:49 2016) [sssd[be[ad.example.edu]]] [load_backend_module] (0x0010):
Error (5) in module (ad) initialization (sssm_ad_id_init)!
There is some problem
with initialisation of ID mapping.
Do you have the latest version of sssd on CentOS 7?
1.13.0-40.el7_2.2
Did you change ID mapping related options on two problematic systems?
If yes then you need to remove old sssd cache
rm -f /var/lib/sss/db/*
It's described in man sssd-ldap -> ID MAPPING
LS