Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

30.9. Troubleshooting SSSD

30.9.1. Checking SSSD Log Files

SSSD uses a number of log files to report information about its operation, located in the /var/log/sssd/ directory. SSSD produces a log file for each domain, as well as an sssd_pam.log and an sssd_nss.log file.
Additionally, the /var/log/secure file logs authentication failures and the reason for the failure.
Increasing the log level can provide more information about problems with SSSD. To change the log level, set the debug_level parameter for each section in the sssd.conf file for which to product extra logs. For example:
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
debug_level = 9

Table 30.8. Debug Log Levels

Level Description
0 Fatal failures. Anything that would prevent SSSD from starting up or causes it to cease running.
1 Critical failures. An error that doesn't kill the SSSD, but one that indicates that at least one major feature is not going to work properly.
2 Serious failures. An error announcing that a particular request or operation has failed.
3 Minor failures. These are the errors that would percolate down to cause the operation failure of 2.
4 Configuration settings.
5 Function data.
6 Trace messages for operation functions.
7 Trace messages for internal control functions.
8 Contents of function-internal variables that may be interesting.
9 Extremely low-level tracing information.

30.9.2. Problems with SSSD Configuration

SSSD fails to start

SSSD requires that the configuration file be properly set up, with all the required entries, before the daemon will start.

  • SSSD requires at least one properly configured domain before the service will start. Without a domain, attempting to start SSSD returns an error that no domains are configured:
    # sssd -d4
    
    [sssd] [ldb] (3): server_sort:Unable to register control with rootdse!
    [sssd] [confdb_get_domains] (0): No domains configured, fatal error!
    [sssd] [get_monitor_config] (0): No domains configured.
    
    Edit the /etc/sssd/sssd.conf file and create at least one domain.
  • SSSD also requires at least one available service provider before it will start. If the problem is with the service provider configuration, the error message indicates that there are no services configured:
    [sssd] [get_monitor_config] (0): No services configured!
    
    Edit the /etc/sssd/sssd.conf file and configure at least one service provider.

    Important

    SSSD requires that service providers be configured as a comma-separated list in a single services entry in the /etc/sssd/sssd.conf file. If services are listed in multiple entries, only the last entry is recognized by SSSD.
I don't see any groups with 'id' or group members with 'getent group'.

This may be due to an incorrect ldap_schema setting in the [domain/DOMAINNAME] section of sssd.conf.

SSSD supports RFC 2307 and RFC 2307bis schema types. By default, SSSD uses the more common RFC 2307 schema.
The difference between RFC 2307 and RFC 2307bis is the way which group membership is stored in the LDAP server. In an RFC 2307 server, group members are stored as the multi-valued memberuid attribute, which contains the name of the users that are members. In an RFC2307bis server, group members are stored as the multi-valued member or uniqueMember attribute which contains the DN of the user or group that is a member of this group. RFC2307bis allows nested groups to be maintained as well.
If group lookups are not returning any information:
  1. Set ldap_schema to rfc2307bis.
  2. Delete /var/lib/sss/db/cache_DOMAINNAME.ldb.
  3. Restarting SSSD.
If that doesn't work, add this line to sssd.conf:
ldap_group_name = uniqueMember
Then delete the cache and restart SSSD again.
Authentication fails against LDAP.

To perform authentication, SSSD requires that the communication channel be encrypted. This means that if sssd.conf is configured to connect over a standard protocol (ldap://), it attempts to encrypt the communication channel with Start TLS. If sssd.conf is configured to connect over a secure protocol (ldaps://), then SSSD uses SSL.

This means that the LDAP server must be configured to run in SSL or TLS. TLS must be enabled for the standard LDAP port (389) or SSL enabled on the secure LDAPS port (636). With either SSL or TLS, the LDAP server must also be configured with a valid certificate trust.
An invalid certificate trust is one of the most common issues with authenticating against LDAP. If the client does not have proper trust of the LDAP server certificate, it is unable to validate the connection, and SSSD refuses to send the password. The LDAP protocol requires that the password be sent in plaintext to the LDAP server. Sending the password in plaintext over an unencrypted connection is a security problem.
If the certificate is not trusted, a syslog message is written, indicating that TLS encryption could not be started. The certificate configuration can be tested by checking if the LDAP server is accessible apart from SSSD. For example, this tests an anonymous bind over a TLS connection to test.example.com:
$ ldapsearch -x -ZZ -h test.example.com -b dc=example,dc=com
If the certificate trust is not properly configured, the test fails with this error:
ldap_start_tls: Connect error (-11) additional info: TLS error -8179:Unknown code ___f 13
To trust the certificate:
  1. Obtain a copy of the public CA certificate for the certificate authority used to sign the LDAP server certificate and save it to the local system.
  2. Add a line to the sssd.conf file that points to the CA certificate on the filesystem.
    ldap_tls_cacert = /path/to/cacert
  3. If the LDAP server uses a self-signed certificate, remove the ldap_tls_reqcert line from the sssd.conf file.
    This parameter directs SSSD to trust any certificate issued by the CA certificate, which is a security risk with a self-signed CA certificate.
Connecting to LDAP servers on non-standard ports fail.

When running SELinux in enforcing mode, the client's SELinux policy has to be modified to connect to the LDAP server over the non-standard port. For example:

# semanage port -a -t ldap_port_t -p tcp 1389
NSS fails to return user information

This usually means that SSSD cannot connect to the NSS service.

  • Ensure that NSS is running:
    # service sssd status
  • If NSS is running, make sure that the provider is properly configured in the [nss] section of the /etc/sssd/sssd.conf file. Especially check the filter_users and filter_groups attributes.
  • Make sure that NSS is included in the list of services that SSSD uses.
  • Check the configuration in the /etc/nsswitch.conf file.
NSS returns incorrect user information

If searches are returning the incorrect user information, check that there are not conflicting usernames in separate domains. When there are multiple domains, set the use_fully_qualified_domains attribute to true in the /etc/sssd/sssd.conf file. This differentiates between different users in different domains with the same name.

Setting the password for the local SSSD user prompts twice for the password

When attempting to change a local SSSD user's password, it may prompt for the password twice:

[root@clientF11 tmp]# passwd user1000
Changing password for user user1000.
New password:
Retype new password:
New Password:
Reenter new Password:
passwd: all authentication tokens updated successfully.
This is the result of an incorrect PAM configuration. Ensure that the use_authtok option is correctly configured in your /etc/pam.d/system-auth file.