Hi, my sssd is service is crashing on CentOS 8 it looks like something is changing the file permissions on /var/lib/sss/db/config.ldb
$ systemctl status sssd.service ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2020-01-13 16:30:16 CST; 15h ago Process: 874 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=1/FAILURE) Main PID: 874 (code=exited, status=1/FAILURE) Jan 13 16:30:16 sp20client.ad.siu.edu sssd[874]: (Mon Jan 13 16:30:16:876393 2020) [sssd[nss]] [ldb] (0x0020): Unable to open tdb '/var/lib/sss/db/config.ldb': Permission denied Jan 13 16:30:16 sp20client.ad.siu.edu sssd[874]: (Mon Jan 13 16:30:16:876628 2020) [sssd[nss]] [ldb] (0x0020): Failed to connect to '/var/lib/sss/db/config.ldb' with backend 'tdb': Unable to > Jan 13 16:30:16 sp20client.ad.siu.edu sssd[874]: (Mon Jan 13 16:30:16:876641 2020) [sssd[nss]] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb] Jan 13 16:30:16 sp20client.ad.siu.edu sssd[874]: (Mon Jan 13 16:30:16:876654 2020) [sssd[nss]] [server_setup] (0x0010): The confdb initialization failed Jan 13 16:30:16 sp20client.ad.siu.edu sssd[874]: Exiting the SSSD. Could not restart critical service [nss]. Jan 13 16:30:16 sp20client.ad.siu.edu sssd[be[ad.siu.edu]][943]: Shutting down Jan 13 16:30:16 sp20client.ad.siu.edu sssd[be[implicit_files]][942]: Shutting down Jan 13 16:30:16 sp20client.ad.siu.edu systemd[1]: sssd.service: Main process exited, code=exited, status=1/FAILURE Jan 13 16:30:16 sp20client.ad.siu.edu systemd[1]: sssd.service: Failed with result 'exit-code'. Jan 13 16:30:16 sp20client.ad.siu.edu systemd[1]: Failed to start System Security Services Daemon. something is changing the file permissions of file /var/lib/sss/db/config.ldb to: $ ls -la /var/lib/sss/db/config.ldb -rw-------. 1 1767801122 1767800513 1286144 Jan 13 16:30 /var/lib/sss/db/config.ldb $ $ id 1767801122 id: ‘1767801122’: no such user $ getent passwd 1767801122 $ echo $? 2 $ $ systemctl restart sssd $ ls -lan /var/lib/sss/db/config.ldb -rw-------. 1 0 0 1286144 Jan 14 08:00 /var/lib/sss/db/config.ldb $ ls -la /var/lib/sss/db/config.ldb -rw-------. 1 root root 1286144 Jan 14 08:00 /var/lib/sss/db/config.ldb $ I've joined this machine to an Active Directory Domain using packages: realmd_prereq_packages: - realmd - sssd - adcli - oddjob - oddjob-mkhomedir - samba-common - samba-common-tools - krb5-workstation realm join -vvvv --computer-ou="ou=Computers,dc=sample,dc=college,dc=edu" --user-principal=nfs/sp20client.sample.college....@ad.siu.edu --os-name=CentOS --user=account SAMPLE.COLLEGE.EDU Things have been odd with the sssd authentication in other ways as well. One time when I tried to su root it wasn't working until I rebooted CentOS 8. Here is my sssd.conf: [sssd] domains = sample.college.edu config_file_version = 2 services = nss, pam #default_domain_suffix = SAMPLE.COLLEGE.EDU [domain/sample.college.edu] ad_domain = sample.college.edu krb5_realm = SAMPLE.COLLEGE.EDU realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True # The following pulls ldap uid,gid from AD #ldap_id_mapping = False # The following uses xxxx...@sample.college.edu for login name if default_domain_suffix is not set. #use_fully_qualified_names = True # The following allows xxxxxxx to login with default_domain_suffix is not set. use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True krb5_lifetime = 7h krb5_renewable_lifetime = 7d krb5_renew_interval = 60s dyndns_update = true dyndns_refresh_interval = 60 dyndns_update_ptr = true dyndns_ttl = 60 debug_level = 9 dyndns_iface = enp0s3 #dyndns_auth = none dyndns_server = 131.x.x.x ad_hostname = sp20client.sample.college.edu _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org