Hi,
I have a problem I have been unable to solve and I'm at a loss. We use sssd on Debian 11 clients with active directory backend. We have 4 domain controllers running Windows Server 2022 in our environment. If any one of those domain controllers goes offline we experience intermittent authentication failures on the linux clients running sssd. It happens on some (but not all) clients and even on an affected client it can be intermittent (meaning sometimes authentication will work, sometimes it will not).
I have tried using the ad_server directive in sssd.conf to restrict the domain controllers the client will try to contact but it seems to have no effect. I have upped the verbosity level in the logs but I am bombarded with messages that I struggle to interpret. Is there someone here who can take a look and help me troubleshoot? I can provide any additional logs / config info upon request.
Here is some preliminary info: Client OS: Debian 11 SSSD version: 2.4.1
sssd.conf
[sssd] services = nss, pam config_file_version = 2 domains = AD.FINRCVGRP.COM
[domain/AD.FINRCVGRP.COM] debug_level=6 ad_server = frgdc2.ad.finrcvgrp.com,frgdc3.ad.finrcvgrp.com id_provider = ad cache_credentials = true access_provider = ad #access_provider = simple #simple_allow_groups = sasdev, dbdev
# Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so override_homedir = /home/%u override_shell = /bin/bash
# Uncomment if the client machine hostname doesn't match the computer object on the DC. # ad_hostnamemymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working # ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain # ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons. # enumerate = true
Hi,
On Mon, Mar 20, 2023 at 6:05 PM Craig Martin craig.martin@frgsystems.com wrote:
Hi,
I have a problem I have been unable to solve and I'm at a loss. We use sssd on Debian 11 clients with active directory backend. We have 4 domain controllers running Windows Server 2022 in our environment. If any one of those domain controllers goes offline we experience intermittent authentication failures on the linux clients running sssd. It happens on some (but not all) clients and even on an affected client it can be intermittent (meaning sometimes authentication will work, sometimes it will not).
Most probably backend is offline (search for 'offline' in sssd_$domain.log).
I have tried using the ad_server directive in sssd.conf to restrict the domain controllers the client will try to contact but it seems to have no effect. I have upped the verbosity level in the logs but I am bombarded with messages that I struggle to interpret.
Try to re-produce issue with 'getent passwd $user'. It should generate far less logs.
Is there someone here who can take a look and help me troubleshoot? I can provide any additional logs / config info upon request.
Here is some preliminary info: Client OS: Debian 11 SSSD version: 2.4.1
sssd.conf
[sssd] services = nss, pam config_file_version = 2 domains = AD.FINRCVGRP.COM
[domain/AD.FINRCVGRP.COM] debug_level=6 ad_server = frgdc2.ad.finrcvgrp.com,frgdc3.ad.finrcvgrp.com id_provider = ad cache_credentials = true access_provider = ad #access_provider = simple #simple_allow_groups = sasdev, dbdev
# Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so override_homedir = /home/%u override_shell = /bin/bash
# Uncomment if the client machine hostname doesn't match the computer object on the DC. # ad_hostnamemymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working # ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain # ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons. # enumerate = true _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thanks for your response.
grep -i offline /var/log/sssd/sssd_AD.FINRCVGRP.COM.log finds nothing.
getent password $user produces expected results.
On Mon, Mar 20, 2023 at 6:29 PM Craig Martin craig.martin@frgsystems.com wrote:
Thanks for your response.
grep -i offline /var/log/sssd/sssd_AD.FINRCVGRP.COM.log finds nothing.
Is this with `debug_level = 9` in the domain section of sssd.conf?
Anyway, you need to set `debug_level = 9`, restart sssd truncating logs, reproduce an issue and then follow corresponding BE_REQ_* in the domain log to see why it fails. If this machine isn't too busy (i.e. no concurrent requests) it should be fairly straightforward.
debug_level was set at 6
I will try to reproduce after setting debug_level to 9
The solution to my issue was found in this thread: https://access.redhat.com/solutions/4685441
sssd-users@lists.fedorahosted.org