Hi,

I have an issue with sssd 1.15.0-3 on Debian 9.

My server is a gitlab server, after few hours, authentification stop working.

I'm using sssd to authenticate users using ldap against Active Directory.

By setting sss_debuglevel 6 I was able to identify that sssd_pam opened too many files :

(Sun Mar 29 18:06:10 2020) [sssd[pam]] [accept_fd_handler] (0x0020): Accept failed [Too many open files]

When this happen, lsof report that sssd_pam had thousand of open files :

sssd_pam  27277                    root 2006u     unix 0xffff90fa7b935000        0t0 3395594982 /var/lib/sss/pipes/pam type=STREAM

I set the fd_limit parameter in sss.Dconf in order to avoid too many open files that fast.

I can fix the issue if I restart sssd.

For information here is my sssd.conf file :

[sssd]

domains = sub.domain.net

config_file_version = 2

servisubs = nss, pam

[domain/sub.domain.net]

ad_domain = sub.domain.net

ldap_uri = ldap://ad1.sub.domain.net, ldap://ad2.sub.domain.net

id_provider = ldap

ldap_acsubss_order = expire

ldap_tls_reqsubrt = never

ldap_schema = rfc2307bis

ldap_referrals = false

ldap_forsub_upper_case_realm = true

ldap_search_base = DC=sub,DC=domain,DC=net

ldap_group_search_base = DC=sub,DC=domain,DC=net

ldap_group_object_class = group

ldap_group_name = sAMAccountName

ldap_user_object_class = User

ldap_user_name = sAMAccountName

ldap_user_fullname = displayName

ldap_user_home_directory = unixHomeDirectory

ldap_user_principal = userPrincipalName

ldap_default_bind_dn = CN=user,OU=OU,DC=sub,DC=domain,DC=net

ldap_default_authtok = **********

cache_credentials = true

acsubss_provider = simple

simple_allow_groups = group1, group2

auth_provider = ldap

use_fully_qualified_names = false

dns_discovery_domain = sub.domain.net

default_shell = /bin/bash

override_shell = /bin/bash

fallback_homedir = /home/%d/%u

enumerate = false

ldap_user_objectsid = objectSid

ldap_group_objectsid = objectSid

ldap_user_primary_group = primaryGroupID

case_sensitive = False

ldap_id_mapping = true

[nss]

filter_users = git, root, monitoring

[pam]

fd_limit = 10000

client_idle_timeout = 10

Have you any idea what could cause sssd_pam not closing those files ?

Best regards,

Hugo