Bug 1893159
Summary: | Default debug level should report all errors / failures | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Alexey Tikhonov <atikhono> |
Component: | sssd | Assignee: | Alexey Tikhonov <atikhono> |
Status: | CLOSED ERRATA | QA Contact: | Madhuri <mupadhye> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.3 | CC: | dlavu, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sgoveas, sssd-qe, tscherf |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | sssd-2.4.0-8.el8 | Doc Type: | Enhancement |
Doc Text: |
Default "debug_level" for sssd components changed to 0x0070 (i.e. fatal, critical and serious failures)
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 15:03:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alexey Tikhonov
2020-10-30 11:31:39 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/5422 * `master` * bd2f38abe95645b9b16b12d12dac6008b0d2a03b - UTIL: find_domain_by_object_name_ex() changed log level * 0db68a1f95612fcbad18ca8107a4b170f446dd59 - LDAP: sdap_save_grpmem(): log level changed * 00e3ac4a4f9b6c8da27daa3ed8c18664c99256bb - LDAP: reduce log level in case of fail to store members of missing group (it might be built-in skipped intentionally) * dba7de0db3cbaee43ef06a1b7c847fbcf48f3708 - SYSDB: changed logging in sysdb_get_real_name() * e86599ba079611ed324ff1493a7173d11c1a7961 - IPA: changed logging in ipa_get_subdom_acct_send() * bf873598a9d4ac8256b20859c0d92fb509861b6b - IPA: ignore failed group search in certain cases * 60b17be9e4f4865fe1774076808a6c783a7ec906 - SYSDB: changed log level in sysdb_update_members_ex() * 9390af3c2d1b33e2b5ded0ea0c6c436b9776cedc - IPA: reduce log level in apply_subdomain_homedir() * 9215cf4e2519d5f085bf97f26a74d499090e46e1 - CERTMAP: removed stray debug message * 0986cf6ced8c4e09b8031d19eddffca679aca30c - UTIL: fixed bug in server_setup() that prevented setting debug level to 0 explicitly * 644453f8d93540a91236683015f3418d29c6d95a - LOGS: default log level changed to <= SSSDBG_OP_FAILURE * 4fe060abbe958c2f9b5aa44e489620063029aa0b - FILES: reduced debug level in refresh_override_attrs() if case "No overrides, nothing to do" * 29f243fd5b256efe3c7f4e4f0940c7d0ae6b4fa1 - AD: reduced log level in case check_if_pac_is_available() can't find user entry. This is typical situation when, for example, INITGROUPS lookup is executed for uncached user. * ed6ec569780ad8203c4990faed5a9f0dc27dd12b - SDAP: reduced log level in case group without members * 26fdc3c8f0ae6493442ea291d9bf36ba148ef209 - CACHE_REQ: reduced log level in cache_req_object_by_name_well_known() Non fqdn input isn't necessarily an error here. * a7b145b99b9f71ad3d02251fff5b587041c9f1ab - LDAP: reduced log level in hosts_get_done() * 6e3b4d745fc8d2de14d69aa30bc21aa549a435f8 - SBUS: reduced log level in case of unexpected signal * 90dae38d7442757b8a51f91a6ba3fb83f99320a1 - RESPONDER: reduce log level in sss_parse_inp_done() in case of "Unknown domain" since this might be search by UPN * 69aa3e8c4b82a06e45ba59eb1c17af252aa971ce - DP: do not log failure in case provider doesn't support check_online method * 1af89925e62cccacb2957f55b16988a5e71fe5e1 - IPA: corrected confusing message * a419b7e673d2de571d873b79be31b1ae2fa89832 - SSS_IFACE: corrected misleading return code * 99e44d9db41f5bb56281ed65d815c32139195931 - LDAP: added missed \n in log message * 52dc85540e621b00f358fea94e2e390d580948d8 - SYSDB: reduce log level in sysdb_update_members_ex() in case failed attempt to DEL unexisting attribute * a7b6413d9fb870f51f09955bdceee01952442c63 - UTIL: sss_ldb_error_to_errno() improved * ac22859006b5658017b2720ca3e02d34c5beecdd - PAM: reduce log level in may_do_cert_auth() * 5068655a67f88cb1730f28689c5effee264321ad - UTIL: few debug message corrections * 3cbd0465b52f9bbb7e20b0b12e154f51bab0866e - PAM: few debug message corrections * f028253ff87bf11ed034ad5acf1f67e8863bed60 - NSS: few debug message corrections * f457a1a69240381ad7637a09dc66c1aeb78e1d18 - IFP: few debug message corrections * 058644f2ef6d1958db657d371158d2df7798dd49 - RESPONDER: few debug message corrections * 01ba32f250a0e51771471c52440c11f6f05f2a48 - CACHE_REQ: debug message correction * 018c08acbb3bbb836c9acefaf5c384eb9231a60a - AUTOFS: few debug message corrections * fb052a4c9843ce518a7202d842c43631f8bbfd2d - RESOLV: debug message correction * d91409df456f9ad7aad39d0cad0ed053cf1f3653 - PROXY: few debug message corrections * ff8f44ce2d2eedb098d980793a949f7f7e55576a - LDAP: few debug message corrections * 9244820af59ba6b947cf9aa1269d03bb6f2e4f38 - KRB5: few debug message corrections * 667b983aaee380c50d50ef07542b004e60041581 - IPA: few debug message corrections * 2f70695a874dcb84d4b86773138a5a6b6259958f - DP: few debug message corrections * d6f6f053d7a97a220b52ce92fd653eef8cec5a74 - AD: few debug message corrections * 85d8adc4d24f09e47f2a9c0fa595d90c61036b18 - P11_CHILD: severity level of few debug messages adjusted * fe0530ef96baa8fd39ce6b87c0c760e17c5eb6f8 - MONITOR: severity level of few debug messages adjusted * daa5454f870a5436a554091a1333cc8be0cbc566 - SYSDB:views: few debug message corrections * 82dc14b027f9115cabafce71d2b385d5c7d1dd4f - SYSDB:upgrade: debug message corrected * e731368ed9cea9b35d0ae654e1534084c6ef4642 - SYSDB:service: severity level of few debug messages adjusted * f55c9599068c43037a8b666af92ba9b8a044f735 - SYSDB:selinux: debug message severity level was adjusted * 744582419abfd6e5665315748d44e732f1d56f13 - SYSDB:search: few debug messages were corrected * 033c31a2a4994367edea1ded8303a0d2dbc59b1c - SYSDB:ops: few debug messages were corrected * a73df70ee0bcc8f1b80a2e20132592724bd5f675 - SYSDB:ipnetworks: severity level of few debug messages adjusted * b4acf71d0a81aeeb2754645d2798ce1e927121f3 - SYSDB:iphosts: severity level of few debug messages adjusted * d8af1db84b48193a546bbeec84a7dd7e2b132244 - SYSDB:sudo: changed debug message to be consistent * df723cb98b406b0262f04d0e43e8e5bf0030074f - SYSDB: wrong debug message corrected * e350d917e6d48c1d13502ab2849d3e2a0815215e - SYSDB:autofs: cosmetic updates Verified with [root@ci-vm-10-0-153-189 sssd]# rpm -qa sssd sssd-2.4.0-5.el8.x86_64 Case 1: Check by default debug_level = 0/1 [root@ci-vm-10-0-153-189 sssd]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = example1 [domain/example1] ldap_search_base = dc=example,dc=test id_provider = ldap auth_provider = ldap ldap_user_home_directory = /home/%u ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem use_fully_qualified_names = True 1. Change permission of sssd.conf to 444 [root@ci-vm-10-0-153-189 ~]# chmod 444 /etc/sssd/sssd.conf 2. Restart sssd, [root@ci-vm-10-0-153-189 ~]# systemctl stop sssd; rm -rf /var/log/sssd/*; systemctl start sssd 3. Check sssd logs (2021-01-11 15:10:53:763352): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. (2021-01-11 15:10:53:763401): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed] (2021-01-11 15:10:53:763422): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed (2021-01-11 15:10:53:763452): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed (2021-01-11 15:10:53:763462): [sssd] [main] (0x0010): SSSD couldn't load the configuration database. (2021-01-11 15:10:54:112640): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. (2021-01-11 15:10:54:112677): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed] (2021-01-11 15:10:54:112690): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed (2021-01-11 15:10:54:112718): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed (2021-01-11 15:10:54:112728): [sssd] [main] (0x0010): SSSD couldn't load the configuration database. (2021-01-11 15:10:54:364249): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. (2021-01-11 15:10:54:364302): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed] (2021-01-11 15:10:54:364312): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed (2021-01-11 15:10:54:364341): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed (2021-01-11 15:10:54:364351): [sssd] [main] (0x0010): SSSD couldn't load the configuration database. (2021-01-11 15:10:54:609571): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. (2021-01-11 15:10:54:609600): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed] (2021-01-11 15:10:54:609609): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed (2021-01-11 15:10:54:609636): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed (2021-01-11 15:10:54:609645): [sssd] [main] (0x0010): SSSD couldn't load the configuration database. Case 2: Check debug_level = 2 1. remove log and restart the sssd [root@ci-vm-10-0-153-189 sssd]# systemctl stop sssd; rm -rf /var/log/sssd/*; systemctl start sssd [root@ci-vm-10-0-153-189 sssd]# kill -SIGUSR2 $(pidof sssd) 3. Check the corresponding logs, [root@ci-vm-10-0-153-189 sssd]# ls sssd_example1.log sssd_implicit_files.log sssd.log sssd_nss.log sssd_pam.log [root@ci-vm-10-0-153-189 sssd]# cat sssd_example1.log (2021-01-11 15:17:15): [be[example1]] [server_setup] (0x0040): Starting with debug level = 0x0070 (2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table (2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table (2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table (2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table (2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table (2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table (2021-01-11 15:17:16): [be[example1]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured (2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.5' from table (2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table (2021-01-11 15:17:16): [be[example1]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured [root@ci-vm-10-0-153-189 sssd]# cat sssd.log (2021-01-11 15:17:15): [sssd] [server_setup] (0x0040): Starting with debug level = 0x0070 (2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table (2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_implicit_5ffiles' from table (2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table (2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_example1' from table (2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table (2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table (2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.5' from table (2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table (2021-01-11 15:17:41): [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. [root@ci-vm-10-0-153-189 sssd]# cat sssd_nss.log (2021-01-11 15:17:16): [nss] [server_setup] (0x0040): Starting with debug level = 0x0070 [root@ci-vm-10-0-153-189 sssd]# cat sssd_pam.log (2021-01-11 15:17:16): [pam] [server_setup] (0x0040): Starting with debug level = 0x0070 (2021-01-11 15:17:16): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.5' from table (2021-01-11 15:17:16): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table [root@ci-vm-10-0-153-189 sssd]# cat sssd_implicit_files.log (2021-01-11 15:17:16): [be[implicit_files]] [server_setup] (0x0040): Starting with debug level = 0x0070 (2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table (2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_example1' from table (2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table (2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table (2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table (2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table (2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table (2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table (2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.5' from table (2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table Additional issues was discovered: https://github.com/SSSD/sssd/pull/5489 Thus additional patch required: Pushed PR: https://github.com/SSSD/sssd/pull/5489 * `master` * 2d26c95d78cf43798b54ac8c478b8a9ee41cab39 - ssh: restore default debug level Verified with: [root@host1 sssd]# rpm -qa sssd sssd-2.4.0-8.el8.x86_64 Case1: [root@host1 sssd]# chmod 444 /etc/sssd/sssd.conf [root@host1 sssd]# systemctl stop sssd; rm -rf /var/lib/sss/db/*; rm -rf /var/log/sssd/*; systemctl start sssd Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. [root@host1 sssd]# ls sssd.log [root@host1 sssd]# cat sssd.log (2021-02-18 0:06:56:518379): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. (2021-02-18 0:06:56:518421): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed] (2021-02-18 0:06:56:518438): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed (2021-02-18 0:06:56:518462): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed (2021-02-18 0:06:56:518469): [sssd] [main] (0x0010): SSSD couldn't load the configuration database. (2021-02-18 0:06:56:807211): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. (2021-02-18 0:06:56:807236): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed] (2021-02-18 0:06:56:807244): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed (2021-02-18 0:06:56:807266): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed (2021-02-18 0:06:56:807272): [sssd] [main] (0x0010): SSSD couldn't load the configuration database. (2021-02-18 0:06:57:063668): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. (2021-02-18 0:06:57:063715): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed] (2021-02-18 0:06:57:063728): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed (2021-02-18 0:06:57:063769): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed (2021-02-18 0:06:57:063781): [sssd] [main] (0x0010): SSSD couldn't load the configuration database. (2021-02-18 0:06:57:309811): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. (2021-02-18 0:06:57:309848): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed] (2021-02-18 0:06:57:309857): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed (2021-02-18 0:06:57:309886): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed (2021-02-18 0:06:57:309893): [sssd] [main] (0x0010): SSSD couldn't load the configuration database. (2021-02-18 0:06:57:571007): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. (2021-02-18 0:06:57:571046): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed] (2021-02-18 0:06:57:571056): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed (2021-02-18 0:06:57:571087): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed (2021-02-18 0:06:57:571095): [sssd] [main] (0x0010): SSSD couldn't load the configuration database. Case2: [root@host1 sssd]# systemctl stop sssd; rm -rf /var/lib/sss/db/*; rm -rf /var/log/sssd/*; systemctl start sssd [root@host1 sssd]# kill -SIGUSR2 $(pidof sssd) [root@host1 sssd]# ls ldap_child.log sssd_domain3ib0.com.log sssd_implicit_files.log sssd.log sssd_nss.log sssd_pam.log sssd_ssh.log [root@host1 sssd]# cat sssd_domain3ib0.com.log (2021-02-18 0:10:42): [be[domain3ib0.com]] [server_setup] (0x0040): Starting with debug level = 0x0070 (2021-02-18 0:10:52): [be[domain3ib0.com]] [child_sig_handler] (0x0020): child [40162] failed with status [2]. (2021-02-18 0:10:52): [be[domain3ib0.com]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-02-18 0:10:52): [be[domain3ib0.com]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-02-18 0:10:52): [be[domain3ib0.com]] [child_sig_handler] (0x0020): child [40166] failed with status [2]. (2021-02-18 0:10:52): [be[domain3ib0.com]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-02-18 0:10:52): [be[domain3ib0.com]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed [root@host1 sssd]# cat sssd_implicit_files.log (2021-02-18 0:10:42): [be[implicit_files]] [server_setup] (0x0040): Starting with debug level = 0x0070 [root@host1 sssd]# cat sssd.log (2021-02-18 0:10:42): [sssd] [server_setup] (0x0040): Starting with debug level = 0x0070 (2021-02-18 0:11:09): [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. [root@host1 sssd]# cat sssd_nss.log (2021-02-18 0:10:42): [nss] [server_setup] (0x0040): Starting with debug level = 0x0070 [root@host1 sssd]# cat sssd_pam.log (2021-02-18 0:10:42): [pam] [server_setup] (0x0040): Starting with debug level = 0x0070 (2021-02-18 0:10:43): [pam] [sss_certmap_init] (0x0040): sss_certmap initialized. [root@host1 sssd]# cat sssd_ssh.log (2021-02-18 0:10:42): [ssh] [server_setup] (0x0040): Starting with debug level = 0x0070 [root@host1 sssd]# cat /etc/sssd/sssd.conf Case 3: [root@host1 sssd]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = domain3ib0.com [nss] filter_groups = root filter_users = root default_shell = /bin/bash override_homedir = /home/%u [domain/domain3ib0.com] id_provider = ad auth_provider = ad ad_domain = domain3ib0.com override_homedir = /home/%u default_shell = /bin/bash use_fully_qualified_names = True [sssd] services = nss, pam, ssh Added following parameters in ssh_config GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts PubkeyAuthentication yes ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h Try to log in the user using key reproduce with: sssd-2.4.0-7.el8.x86_64 [root@host1 sssd]# ssh -o GSSAPIAuthentication=no -o PasswordAuthentication=no -l testuser01-29558 localhost (2021-02-17 11:55:49:181559): [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0040): sss_ssh_get_ent() failed (2): No such file or directory testuser01-29558@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [root@host1 ~]# echo $? 255 Verified with: sssd-2.4.0-8.el8.x86_64 [root@host1 sssd]# ssh -o GSSAPIAuthentication=no -o PasswordAuthentication=no -l testuser01-21606 localhost testuser01-21606@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [root@host1 sssd]# echo $? 255 Thus from above marking this bug as Verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1666 |