On Thu, Mar 02, 2017 at 10:20:53PM -0500, Michael Smith wrote: > Hi all, > > I've been using sssd with AD on Ubuntu 16.04 for several months (sssd > 1.13.4). I've joined probably a few dozen VMs to a domain. More often than > not, /var/lib/sss/pipes/ssh is not created right away after joining, and > the dynamic DNS registration with nsupdate doesn't happen. There are no > errors in /var/log/sssd/*; sssd_ssh just doesn't run, and dyndns doesn't > happen either. > > I can reboot or restart sssd as many times as I like and it won't fix it. > But as soon as I would bump up the debuglevel in /etc/sssd/sssd.conf and > "systemctl restart sssd", everything would work.
The only explanation I have is that 'something', either some join script or whatever is used updates sssd.conf after sssd is started. The way sssd reads its configuration is that on sssd startup, we check the timestamp of sssd.conf, compare it with the timestamp of sssd's internal configuration database (/var/lib/sss/db/config.ldb) and if sssd.conf is newer, sssd regenerates the configuration database. And perhaps the problem is that the resolution of the timestamp is only down to seconds, so if you update the config file on the same second as the last restart, sssd migth not detect the config file was changed? > > Eventually I figured out that it wasn't dependent on the debug level at all > - if I just touch /etc/sssd/sssd.conf to update the timestamp, and restart > sssd, that's enough to fix it. > > The next time I join a machine I'll start with debuglevel set to 9. In the > meantime, is there anything that could explain this behaviour: the sshd > integration and dyndns registration don't work until (1) the domain is > joined and (2) sssd.conf's mtime is changed? > > Thanks, > Mike > > sssd.conf: > > [domain/my.domain] > access_provider = ad > ad_domain = my.domain > ad_gpo_access_control = disabled > ad_hostname = myhostname.my.domain > cache_credentials = False > debug_level = 3 > default_shell = /bin/bash > dns_resolver_timeout = 30 > dyndns_refresh_interval = 28800 > dyndns_update = True > dyndns_update_ptr = True > entry_cache_timeout = 120 > fallback_homedir = /home/%u > id_provider = ad > krb5_realm = MY.DOMAIN > krb5_store_password_if_offline = False > ldap_access_filter = > (memberOf:1.2.840.113556.1.4.1941:=cn=somegroup,ou=Groups,ou=xxx,dc=my,dc=domain) > ldap_group_nesting_level = 2 > ldap_id_mapping = True > ldap_schema = ad > ldap_user_ssh_public_key = sshPublicKey > memcache_timeout = 120 > use_fully_qualified_names = False > > [nss] > filter_users = > root,named,avahi,haldaemon,dbus,radiusd,news,nscd,centos,ubuntu > > [ssh] > > [sssd] > config_file_version = 2 > domains = my.domain > services = nss,pam,ssh > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
