debug_level
parameter for each section in the sssd.conf
file for which to produce extra logs. For example:
[domain/LDAP]
enumerate = false
cache_credentials = true
debug_level = 9
Table 7.11. Debug Log Levels
Level | Description |
---|---|
0 | Fatal failures. Anything that would prevent SSSD from starting up or causes it to cease running. |
1 | Critical failures. An error that doesn't kill the SSSD, but one that indicates that at least one major feature is not going to work properly. |
2 | Serious failures. An error announcing that a particular request or operation has failed. |
3 | Minor failures. These are the errors that would percolate down to cause the operation failure of 2. |
4 | Configuration settings. |
5 | Function data. |
6 | Trace messages for operation functions. |
7 | Trace messages for internal control functions. |
8 | Contents of function-internal variables that may be interesting. |
9 | Extremely low-level tracing information. |
NOTE
[sssd]
section. Now, each domain and service must configure its own debug log level.
sssd_update_debug_levels.py
script.
python /usr/lib/python2.6/site-packages/sssd_update_debug_levels.py
/var/log/sssd/
directory. SSSD produces a log file for each domain, as well as an sssd_pam.log
and an sssd_nss.log
file.
/var/log/secure
file logs authentication failures and the reason for the failure.
# sssd -d4 [sssd] [ldb] (3): server_sort:Unable to register control with rootdse! [sssd] [confdb_get_domains] (0): No domains configured, fatal error! [sssd] [get_monitor_config] (0): No domains configured.
/etc/sssd/sssd.conf
file and create at least one domain.
[sssd] [get_monitor_config] (0): No services configured!
/etc/sssd/sssd.conf
file and configure at least one service provider.
Important
services
entry in the /etc/sssd/sssd.conf
file. If services are listed in multiple entries, only the last entry is recognized by SSSD.
ldap_schema
setting in the [domain/DOMAINNAME]
section of sssd.conf
.
memberuid
attribute, which contains the name of the users that are members. In an RFC2307bis server, group members are stored as the multi-valued member
or uniqueMember
attribute which contains the DN of the user or group that is a member of this group. RFC2307bis allows nested groups to be maintained as well.
ldap_schema
to rfc2307bis
.
/var/lib/sss/db/cache_DOMAINNAME.ldb
.
sssd.conf
:
ldap_group_name = uniqueMember
sssd.conf
is configured to connect over a standard protocol (ldap://
), it attempts to encrypt the communication channel with Start TLS. If sssd.conf
is configured to connect over a secure protocol (ldaps://
), then SSSD uses SSL.
syslog
message is written, indicating that TLS encryption could not be started. The certificate configuration can be tested by checking if the LDAP server is accessible apart from SSSD. For example, this tests an anonymous bind over a TLS connection to test.example.com
:
$ ldapsearch -x -ZZ -h test.example.com -b dc=example,dc=com
ldap_start_tls: Connect error (-11) additional info: TLS error -8179:Unknown code ___f 13
sssd.conf
file that points to the CA certificate on the filesystem.
ldap_tls_cacert = /path/to/cacert
ldap_tls_reqcert
line from the sssd.conf
file.
# semanage port -a -t ldap_port_t -p tcp 1389
# service sssd status
[nss]
section of the /etc/sssd/sssd.conf
file. Especially check the filter_users
and filter_groups
attributes.
/etc/nsswitch.conf
file.
use_fully_qualified_domains
attribute to true
in the /etc/sssd/sssd.conf
file. This differentiates between different users in different domains with the same name.
[root@clientF11 tmp]# passwd user1000 Changing password for user user1000. New password: Retype new password: New Password: Reenter new Password: passwd: all authentication tokens updated successfully.
use_authtok
option is correctly configured in your /etc/pam.d/system-auth
file.