Hi, On Mon, Mar 20, 2023 at 6:05 PM Craig Martin <[email protected]> wrote: > > Hi, > > I have a problem I have been unable to solve and I'm at a loss. We use sssd > on Debian 11 clients with active directory backend. We have 4 domain > controllers running Windows Server 2022 in our environment. If any one of > those domain controllers goes offline we experience intermittent > authentication failures on the linux clients running sssd. It happens on > some (but not all) clients and even on an affected client it can be > intermittent (meaning sometimes authentication will work, sometimes it will > not).
Most probably backend is offline (search for 'offline' in sssd_$domain.log). > > I have tried using the ad_server directive in sssd.conf to restrict the > domain controllers the client will try to contact but it seems to have no > effect. I have upped the verbosity level in the logs but I am bombarded with > messages that I struggle to interpret. Try to re-produce issue with 'getent passwd $user'. It should generate far less logs. > Is there someone here who can take a look and help me troubleshoot? I can > provide any additional logs / config info upon request. > > Here is some preliminary info: > Client OS: Debian 11 > SSSD version: 2.4.1 > > sssd.conf > > [sssd] > services = nss, pam > config_file_version = 2 > domains = AD.FINRCVGRP.COM > > [domain/AD.FINRCVGRP.COM] > debug_level=6 > ad_server = frgdc2.ad.finrcvgrp.com,frgdc3.ad.finrcvgrp.com > id_provider = ad > cache_credentials = true > access_provider = ad > #access_provider = simple > #simple_allow_groups = sasdev, dbdev > > # Use this if users are being logged in at /. > # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with > pam_mkhomedir.so > override_homedir = /home/%u > override_shell = /bin/bash > > # Uncomment if the client machine hostname doesn't match the computer object > on the DC. > # ad_hostnamemymachine.myubuntu.example.com > > # Uncomment if DNS SRV resolution is not working > # ad_server = dc.mydomain.example.com > > # Uncomment if the AD domain is named differently than the Samba domain > # ad_domain = MYUBUNTU.EXAMPLE.COM > > # Enumeration is discouraged for performance reasons. > # enumerate = true > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
