On Wed, Feb 19, 2020 at 11:19:07PM -0500, Mark London wrote: > Hi all - Recently, about once a week, SSSD will stop working on our mail > server (version 1.16.4, Redhat 7) will stop properly authenticating. I set > the debug logging to 6, and here are the lines in our domain log > (domain=PSFC), after which nothing else in that log appears, until SSSD is > restarted: > > (Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'LDAP' > (Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [be_resolve_server_process] > (0x0200): Found address for server psfcdc2.psfc.mit.edu: [198.125.180.133] > TTL 708 > (Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [sdap_uri_callback] (0x0400): > Constructed uri 'ldaps://psfcdc2.psfc.mit.edu' > (Wed Feb 19 14:03:57 2020) [sssd[be[PSFC]]] [sssd_async_socket_init_send] > (0x0400): Setting 6 seconds timeout for connecting > > Normally, the following lines should follow: > > (Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] [sdap_get_generic_ext_step] > (0x0400): calling ldap_search_ext with [(objectclass=*)][]. > (Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] [sdap_get_generic_op_finished] > (0x0400): Search result: Success(0), no errmsg set > (Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] > [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level > to [6] > (Wed Feb 19 14:02:54 2020) [sssd[be[PSFC]]] > [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at > [CN=Schema,CN=Configurati\ > on,DC=psfc,DC=mit,DC=edu] > > Any idea why it stopped at that point? Would it help to increase the debug > level? (As an aside, sssd_nss.log and sssd_pam.log, do continue to output
Hi, this sounds like https://pagure.io/SSSD/sssd/issue/2878. The fix is currently not included in RHEL-7, feel free to open a ticket at bugzilla.redhat.com to get it added. HTH bye, Sumit > lines, so SSSD hasn't crashed). Here is my SSSD.CONF file. Thanks! - Mark > > [sssd] > config_file_version = 2 > reconnection_retries = 3 > sbus_timeout = 30 > services = nss, pam > domains = PSFC > > [nss] > filter_groups = root > filter_users = root > reconnection_retries = 3 > debug_level = 6 > > [pam] > reconnection_retries = 3 > debug_level = 6 > > [domain/PSFC] > description = LDAP domain with AD server > enumerate = false > min_id = 501 > cache_credentials = true > debug_level = 6 > ldap_purge_cache_timeout = 0 > ldap_enumeration_refresh_timeout = 300 > ldap_referrals = false > id_provider = ldap > chpass_provider = none > auth_provider = ldap > ldap_tls_reqcert = allow > ldap_uri = > ldaps://psfcdc1.psfc.mit.edu,ldaps://psfcdc2.psfc.mit.edu,ldaps://psfcdc3.psfc.mit.edu > ldap_schema = rfc2307bis > ldap_search_base = dc=psfc,dc=mit,dc=edu > ldap_user_search_base = dc=psfc,dc=mit,dc=edu > ldap_group_search_base = dc=psfc,dc=mit,dc=edu > ldap_default_bind_dn = CN=ADldapreadonly,OU=Computer Group,OU=PSFC > Users,DC=psfc,DC=mit,DC=edu > ldap_default_authtok_type = password > ldap_default_authtok = ldapread > ldap_user_object_class = person > ldap_user_name = sAMAccountName > ldap_user_uid_number = msSFU30UidNumber > ldap_user_gid_number = msSFU30GidNumber > ldap_user_home_directory = msSFU30HomeDirectory > ldap_user_shell = msSFU30LoginShell > ldap_user_principal = userPrincipalName > ldap_group_object_class = group > ldap_group_member = msSFU30PosixMember > ldap_user_member_of = msSFU30PosixMemberOf > ldap_group_name = name > ldap_group_gid_number = msSFU30GidNumber > ldap_force_upper_case_realm = True > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
