First, thank you for this confirmation, I enabled the debug.
Now I have the log however I see some things that maybe considered “sensitive”.
Would it be best I open a call via RH for support rather than try to sanitise the log to share here?
Debugging itself adds very little processing usage overhead with SSSD.
Depending on how many connections you are receiving in any given time will ultimately determine how large the debugging grows on the system.
Logging does not cause a large amount of space consumption. I would advise adding 'debug_level = 9' to all sections of sssd.conf, restart SSSD and simply keep an eye on the storage usage to make sure it doesn't use up all space until the issue can be reproduced.
On 6/22/20 11:06 AM, Sangster, Mark wrote:
My difficult lies with being able to debug this. The need to leave the debug on for ~3-4 days on a production system, is something that I would not be comfortable doing.
We are using Active Directory, Domain/Functional forest level Windows Server 2012 R2.
We are in the midst of switching us stuff to be the AD provider but this is still KRB5/LDAP.
[sssd]config_file_version = 2domains = DOMAINservices = nss, pam[domain/DOMAIN]ldap_referrals = falsecache_credentials = trueenumerate = falseid_provider = ldapauth_provider = krb5ldap_uri = ldap://LDAP1.DOMAIN, ldap://LDAP2.DOMAINldap_sasl_mech = GSSAPIldap_sasl_authid = SERVER$@DOMAINldap_schema = rfc2307bisldap_user_search_base = DC=DOMAIN,DC=BASEldap_user_object_class = userldap_group_search_base = DC=DOMAIN,DC=BASEldap_group_object_class = groupldap_account_expire_policy = adldap_force_upper_case_realm = truekrb5_server = LDAP1.DOMAIN, LDAP2.DOMAINkrb5_realm = DOMAINkrb5_canonicalize = falseldap_user_home_directory = unixHomeDirectoryldap_user_name = sAMAccountNameldap_user_principal = Noneaccess_provider = simplesimple_allow_groups = USERS_GROUP
I re-joined the machine to the domain to ensure that wasn't the source of issues.
If there is an appropriate debug level which wouldn't be negative to a production system, I can try that out.
-----Original Message-----From: Lukas Slebodnik <email@example.com>Sent: 18 June 2020 12:04To: End-user discussions about the System Security Services Daemon <firstname.lastname@example.org>Subject: [SSSD-users] Re: SSH user fails system error 4
CAUTION: External email. Ensure this message is from a trusted source before clicking links/attachments.
On (18/06/20 09:11), Sangster, Mark wrote:Hello,
We are experiencing an issue with a user when they attempt to login. Other users can continue to login. It does seem to repeat on this specific user.
If I blitz the SSSD cache and restart it, then they find they can login again.
They indicated that just prior to the event, they were forced to reboot their machine (i.e. unclean disconnect) and it was after that they couldn’t login.
This was the successful session just before:
Jun 17 08:00:58 server sshd: pam_sss(sshd:auth): authenticationsuccess; logname= uid=0 euid=0 tty=ssh ruser= rhost=<CLIENTIP>user=username Jun 17 08:00:58 server sshd: Accepted password forusername from <CLIENTIP> port 59680 ssh2 Jun 17 08:00:59 serversshd: pam_unix(sshd:session): session opened for user usernameby (uid=0) Jun 17 13:22:17 server sshd: pam_unix(sshd:session):session closed for user username
The next session which failed:
Jun 17 13:33:13 server sshd: pam_sss(sshd:auth): authenticationsuccess; logname= uid=0 euid=0 tty=ssh ruser= rhost=<CLIENTIP>user=username Jun 17 13:33:13 server sshd:pam_sss(sshd:account): Access denied for user username: 4 (Systemerror) Jun 17 13:33:13 server sshd: Failed password for username>from <CLIENTIP> port 50114 ssh2 Jun 17 13:33:13 server sshd:fatal: Access denied for user username by PAM account configuration[preauth]
There does not look to be any additional log information in SSSD representing the error. The troubleshooting suggested I follow up here for “system error 4”.
It would be tricky to run debug on this, as this took 4 days until the failure reappeared and we might fill our log space very quickly.
Pam return code 4 (System error) means some unexpected situation in sssd (usually in backend)
I would recomment to follow following guide https://sssd.io/docs/users/troubleshooting.html
It would be good to also provide more details about your configuration type/version of directory server, ...
LS_______________________________________________sssd-users mailing list -- email@example.com To unsubscribe send an email to firstname.lastname@example.orgFedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
The University of Aberdeen is a charity registered in Scotland, No SC013683.Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683._______________________________________________sssd-users mailing list -- email@example.comTo unsubscribe send an email to firstname.lastname@example.orgFedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines