Hi,

I have an issue with sssd 1.15.0-3 on Debian 9.
My server is a gitlab server, after few hours, authentification stop working.
I'm using sssd to authenticate users using ldap against Active Directory.

By setting sss_debuglevel 6 I was able to identify that sssd_pam opened too many files :

(Sun Mar 29 18:06:10 2020) [sssd[pam]] [accept_fd_handler] (0x0020): Accept failed [Too many open files]

When this happen, lsof report that sssd_pam had thousand of open files :
sssd_pam  27277                    root 2006u     unix 0xffff90fa7b935000        0t0 3395594982 /var/lib/sss/pipes/pam type=STREAM
I set the fd_limit parameter in sss.Dconf in order to avoid too many open files that fast.

I can fix the issue if I restart sssd.

For information here is my sssd.conf file :

[sssd]
domains = sub.domain.net
config_file_version = 2
servisubs = nss, pam

[domain/sub.domain.net]
ad_domain = sub.domain.net
ldap_uri = ldap://ad1.sub.domain.net, ldap://ad2.sub.domain.net
id_provider = ldap
ldap_acsubss_order = expire
ldap_tls_reqsubrt = never
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_forsub_upper_case_realm = true
ldap_search_base = DC=sub,DC=domain,DC=net
ldap_group_search_base = DC=sub,DC=domain,DC=net
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_user_object_class = User
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_default_bind_dn = CN=user,OU=OU,DC=sub,DC=domain,DC=net
ldap_default_authtok = **********
cache_credentials = true
acsubss_provider = simple
simple_allow_groups = group1, group2
auth_provider = ldap
use_fully_qualified_names = false
dns_discovery_domain = sub.domain.net
default_shell = /bin/bash
override_shell = /bin/bash
fallback_homedir = /home/%d/%u
enumerate = false
ldap_user_objectsid = objectSid
ldap_group_objectsid = objectSid
ldap_user_primary_group = primaryGroupID
case_sensitive = False
ldap_id_mapping = true

[nss]
filter_users = git, root, monitoring

[pam]
fd_limit = 10000
client_idle_timeout = 10

Have you any idea what could cause sssd_pam not closing those files ?
Best regards,

Hugo