SSSD intermittent paging errors causes lookups to fail
Environment
- Red Hat Enterprise Linux (RHEL) lower than version 5.8 or 6.2
- IPA client using SSSD < 1.5.1
Issue
- After installing IPA client on this machine,
cronjobshows errors associated withpam_sss(crond:account):
crond[22498]: pam_unix(crond:session): session closed for user user1
crond[22542]: pam_sss(crond:account): Access denied for user user1: 4 (System error)
crond[22542]: pam_unix(crond:session): session closed for user user1
crond[22543]: pam_sss(crond:account): Access denied for user user1: 4 (System error)
crond[22543]: pam_unix(crond:session): session closed for user user1
crond[22541]: pam_unix(crond:session): session opened for user user1 by (uid=0)
- Running SSSD in debug mode (
debug_level = 9) shows the following:
[sssd[be[DOMAIN]]] [sdap_get_generic_done] (6): Search result: Server is unwilling to perform(53), Simple Paged Results Search already in progress on this connection
Resolution
- The error
Simple Paged Results Search already in progress on this connectionindicate issues when SSSD try to get paged results from an LDAP server. To fix this issue, update the SSSD version to 1.5.1 or above and disable paged results in/etc/sssd/sssd.conffile as shown below:
ldap_disable_paging = true
And restart the SSSD daemon:
# service sssd restart
The BZ#806765 was opened to address this issue, and a corresponding errata was released.
Root Cause
- The error above indicate the LDAP server does not support paging or the server was under a heavy load and could not handle the paged results.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
