On 09/27/2016 06:47 PM, Richard Collins wrote:
Hi thanks for responding....
The monitor_quit_signal function should only be called when the SSSD monitor process receives SIGINT or SIGTERM. It looks like you already have debug_level = 9 in the monitor section of sssd.conf, I would hope to see some useful more messages in /var/log/sssd/sssd.log around the same timeframe as above.
There's not a lot in /var/log/sssd/sssd.log around the time of the termination, just the termination notifications. However I'll post the relevant excerpts when I get back into the office tomorrow.
If that is not the case, you could try running a systemtap script like the one here to determine if there is an unexpected script or process sending these signals:
https://sourceware.org/systemtap/examples/process/sigkill.stpThanks for that - I was wondering how I would trace the sigkill
You have 'filter_users = root' in the sssd.conf so these messages about 'root' should be expected. When the monitor shutdown is called it will terminate child processes which is why the NSS Responder gets shut down here.
I added the filter_users in the hope that it would ignore the root user requests - not sure why there are so many requests for root? Adding this setting didn't change the occurrence of the entries in the log so maybe doesn't do what I expected.
I believe this is inherent to the glibc initgroups library call which will use all entries specified in the nsswitch.conf file meaning a root login would be triggered into 'sss' and not just 'files'.
The 'filter_users = root' option will cut off processing this request early in the NSS responder and keep it in the negative cache.
For the most part this sssd.conf looks okay to me except for
ldap_server = _srv_I could not find this option in the man page, it looks to be invalid or deprecated.
This was in the config as I found it. It was originally configured by a third party and I've picked up support for it. If this is unsupported then I'll remove it and see if it has any impact.
A basic template for configuring sssd.conf with the LDAP provider is at the following link(if the LDAP server is Active Directory then we recommend using the AD provider)
https://fedorahosted.org/sssd/wiki/HOWTO_Configure
simple_allow_groups = sasi,sasadmin,sasmgt ldap_access_order = expire ldap_account_expire_policy = ad
Are these three options each defined on the same line, or is it the email formatting that may have appended these to one line?
Email formatting - they are set correctly one per line in the config
I'll remove the ldap_server option and see how it goes
Yes, let us know how it goes.
This document is strictly confidential and is intended for use by the addressee unless otherwise indicated. Allied Irish Banks AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Central Bank of Ireland. Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173. ~~~~~~~Please consider the environment before printing this Email~~~~~~~~ This email has been scanned by an external Email Security System. This Disclaimer has been generated by CMDis _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org