I would start by gathering debugging during the time that the issue happens:
1. Add "debug_level = 9" to all sections [sssd], [domain], etc.
# vi /etc/sssd/sssd.conf
2. Restart SSSD:
# systemctl stop sssd ; rm -rf /var/log/sssd/* /var/lib/sss/{db,mc}/*
; systemctl start sssd
3. Replicate the issue.
4. Archive and upload logs to some location:
# tar czvf /tmp/sssd-debug__$(hostname -s)__$(date +%F_%H%M%S).tar.gz
/etc/{sssd,nsswitch*,krb5.conf,samba,pam.d} /var/log/{secure,messages,sssd}
Alternatively, you could also look into the logs alone
(/var/log/sssd/sssd_example.com.log. Try to find the location within
the logs that correlates with the timestamp of when the issue happened
and then diagnose from there.
Striker
On 05/04/2018 09:12 AM, Max DiOrio wrote:
Any thoughts? This issue seems to be rippling through all our AD
Domain Joined servers. The group randomly goes missing and nobody can
log into the server. After some time, it eventually starts working
again.
On Apr 24, 2018, at 9:08 AM, Max DiOrio <[email protected]
<mailto:[email protected]>> wrote:
We’re running SSSD 1.15.2
On Apr 23, 2018, at 6:29 PM, Lachlan Musicman <[email protected]
<mailto:[email protected]>> wrote:
On 24 April 2018 at 03:01, Max DiOrio<[email protected]
<mailto:[email protected]>>wrote:
So we are having issues with a couple servers where users
suddenly won't be able to log in. All our auth is done through
AD and not a thing has changed.
On a working server, I can do 'id username' and get back the
proper list of groups the user is a member of.
On the non-working server, 'id username' returns *mostly* the
same list. However the one group that the user needs to be a
member to log in is missing.
There are some groups in both lists that that have a group ID,
but not a group name. And the one non-working server has a
single group entry duplicated. The results of 'id username'
match throughout, except the noted areas below and a few entries
that are listed out of order between the two.
Here are the differences "non-working" on top, "working" on
bottom (gs-technology is the group in question that I need on
the non-working server). It doesn't make sense that 1002201991
is showing up twice in the list.
1002201991
1002201991(fs01-technology-all(rw))
1002201620(infrastructureteam)
1002201620
1002201991
1002204761(gs-technology)
Thanks!
Max, Which version of SSSD are you using, and which OS?
Cheers
L.
_______________________________________________
sssd-users mailing list [email protected]
<mailto:[email protected]>
To unsubscribe send an email
[email protected]
<mailto:[email protected]>
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
