1893159 – Default debug level should report all errors / failures

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1893159 - Default debug level should report all errors / failures

Summary: Default debug level should report all errors / failures

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Alexey Tikhonov
QA Contact:	Madhuri
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-10-30 11:31 UTC by Alexey Tikhonov
Modified:	2021-12-20 08:10 UTC (History)
CC List:	9 users (show)
Fixed In Version:	sssd-2.4.0-8.el8
Doc Type:	Enhancement
Doc Text:	Default "debug_level" for sssd components changed to 0x0070 (i.e. fatal, critical and serious failures)
Clone Of:
Environment:
Last Closed:	2021-05-18 15:03:59 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alexey Tikhonov 2020-10-30 11:31:39 UTC

Currently default value of sssd.conf::debug_level is 0 which logs only "Fatal failures".

This omits "Critical and Serious failures", which makes debugging and troubleshooting of "hard to reproduce" issues very difficult.

Code should be reviewed to ensure only real errors are logged on those levels and default value of sssd.conf::debug_level should be adjusted to 2.

Comment 3 Alexey Tikhonov 2020-12-28 18:03:32 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/5422

* `master`
    * bd2f38abe95645b9b16b12d12dac6008b0d2a03b - UTIL: find_domain_by_object_name_ex() changed log level
    * 0db68a1f95612fcbad18ca8107a4b170f446dd59 - LDAP: sdap_save_grpmem(): log level changed
    * 00e3ac4a4f9b6c8da27daa3ed8c18664c99256bb - LDAP: reduce log level in case of fail to store members of missing group (it might be built-in skipped intentionally)
    * dba7de0db3cbaee43ef06a1b7c847fbcf48f3708 - SYSDB: changed logging in sysdb_get_real_name()
    * e86599ba079611ed324ff1493a7173d11c1a7961 - IPA: changed logging in ipa_get_subdom_acct_send()
    * bf873598a9d4ac8256b20859c0d92fb509861b6b - IPA: ignore failed group search in certain cases
    * 60b17be9e4f4865fe1774076808a6c783a7ec906 - SYSDB: changed log level in sysdb_update_members_ex()
    * 9390af3c2d1b33e2b5ded0ea0c6c436b9776cedc - IPA: reduce log level in apply_subdomain_homedir()
    * 9215cf4e2519d5f085bf97f26a74d499090e46e1 - CERTMAP: removed stray debug message
    * 0986cf6ced8c4e09b8031d19eddffca679aca30c - UTIL: fixed bug in server_setup() that prevented setting debug level to 0 explicitly
    * 644453f8d93540a91236683015f3418d29c6d95a - LOGS: default log level changed to <= SSSDBG_OP_FAILURE
    * 4fe060abbe958c2f9b5aa44e489620063029aa0b - FILES: reduced debug level in refresh_override_attrs() if case "No overrides, nothing to do"
    * 29f243fd5b256efe3c7f4e4f0940c7d0ae6b4fa1 - AD: reduced log level in case check_if_pac_is_available() can't find user entry. This is typical situation when, for example, INITGROUPS lookup is executed for uncached user.
    * ed6ec569780ad8203c4990faed5a9f0dc27dd12b - SDAP: reduced log level in case group without members
    * 26fdc3c8f0ae6493442ea291d9bf36ba148ef209 - CACHE_REQ: reduced log level in cache_req_object_by_name_well_known() Non fqdn input isn't necessarily an error here.
    * a7b145b99b9f71ad3d02251fff5b587041c9f1ab - LDAP: reduced log level in hosts_get_done()
    * 6e3b4d745fc8d2de14d69aa30bc21aa549a435f8 - SBUS: reduced log level in case of unexpected signal
    * 90dae38d7442757b8a51f91a6ba3fb83f99320a1 - RESPONDER: reduce log level in sss_parse_inp_done() in case of "Unknown domain" since this might be search by UPN
    * 69aa3e8c4b82a06e45ba59eb1c17af252aa971ce - DP: do not log failure in case provider doesn't support check_online method
    * 1af89925e62cccacb2957f55b16988a5e71fe5e1 - IPA: corrected confusing message
    * a419b7e673d2de571d873b79be31b1ae2fa89832 - SSS_IFACE: corrected misleading return code
    * 99e44d9db41f5bb56281ed65d815c32139195931 - LDAP: added missed \n in log message
    * 52dc85540e621b00f358fea94e2e390d580948d8 - SYSDB: reduce log level in sysdb_update_members_ex() in case failed attempt to DEL unexisting attribute
    * a7b6413d9fb870f51f09955bdceee01952442c63 - UTIL: sss_ldb_error_to_errno() improved
    * ac22859006b5658017b2720ca3e02d34c5beecdd - PAM: reduce log level in may_do_cert_auth()
    * 5068655a67f88cb1730f28689c5effee264321ad - UTIL: few debug message corrections
    * 3cbd0465b52f9bbb7e20b0b12e154f51bab0866e - PAM: few debug message corrections
    * f028253ff87bf11ed034ad5acf1f67e8863bed60 - NSS: few debug message corrections
    * f457a1a69240381ad7637a09dc66c1aeb78e1d18 - IFP: few debug message corrections
    * 058644f2ef6d1958db657d371158d2df7798dd49 - RESPONDER: few debug message corrections
    * 01ba32f250a0e51771471c52440c11f6f05f2a48 - CACHE_REQ: debug message correction
    * 018c08acbb3bbb836c9acefaf5c384eb9231a60a - AUTOFS: few debug message corrections
    * fb052a4c9843ce518a7202d842c43631f8bbfd2d - RESOLV: debug message correction
    * d91409df456f9ad7aad39d0cad0ed053cf1f3653 - PROXY: few debug message corrections
    * ff8f44ce2d2eedb098d980793a949f7f7e55576a - LDAP: few debug message corrections
    * 9244820af59ba6b947cf9aa1269d03bb6f2e4f38 - KRB5: few debug message corrections
    * 667b983aaee380c50d50ef07542b004e60041581 - IPA: few debug message corrections
    * 2f70695a874dcb84d4b86773138a5a6b6259958f - DP: few debug message corrections
    * d6f6f053d7a97a220b52ce92fd653eef8cec5a74 - AD: few debug message corrections
    * 85d8adc4d24f09e47f2a9c0fa595d90c61036b18 - P11_CHILD: severity level of few debug messages adjusted
    * fe0530ef96baa8fd39ce6b87c0c760e17c5eb6f8 - MONITOR: severity level of few debug messages adjusted
    * daa5454f870a5436a554091a1333cc8be0cbc566 - SYSDB:views: few debug message corrections
    * 82dc14b027f9115cabafce71d2b385d5c7d1dd4f - SYSDB:upgrade: debug message corrected
    * e731368ed9cea9b35d0ae654e1534084c6ef4642 - SYSDB:service: severity level of few debug messages adjusted
    * f55c9599068c43037a8b666af92ba9b8a044f735 - SYSDB:selinux: debug message severity level was adjusted
    * 744582419abfd6e5665315748d44e732f1d56f13 - SYSDB:search: few debug messages were corrected
    * 033c31a2a4994367edea1ded8303a0d2dbc59b1c - SYSDB:ops: few debug messages were corrected
    * a73df70ee0bcc8f1b80a2e20132592724bd5f675 - SYSDB:ipnetworks: severity level of few debug messages adjusted
    * b4acf71d0a81aeeb2754645d2798ce1e927121f3 - SYSDB:iphosts: severity level of few debug messages adjusted
    * d8af1db84b48193a546bbeec84a7dd7e2b132244 - SYSDB:sudo: changed debug message to be consistent
    * df723cb98b406b0262f04d0e43e8e5bf0030074f - SYSDB: wrong debug message corrected
    * e350d917e6d48c1d13502ab2849d3e2a0815215e - SYSDB:autofs: cosmetic updates

Comment 7 Madhuri 2021-01-11 15:21:22 UTC

Verified with
[root@ci-vm-10-0-153-189 sssd]# rpm -qa sssd
sssd-2.4.0-5.el8.x86_64

Case 1:
Check by default debug_level = 0/1

[root@ci-vm-10-0-153-189 sssd]# cat /etc/sssd/sssd.conf 
[sssd]
config_file_version = 2
services = nss, pam
domains = example1

[domain/example1]
ldap_search_base = dc=example,dc=test
id_provider = ldap
auth_provider = ldap
ldap_user_home_directory = /home/%u
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
use_fully_qualified_names = True

1. Change permission of sssd.conf to 444
[root@ci-vm-10-0-153-189 ~]# chmod 444 /etc/sssd/sssd.conf 

2. Restart sssd,
[root@ci-vm-10-0-153-189 ~]# systemctl stop sssd; rm -rf /var/log/sssd/*; systemctl start sssd

3. Check sssd logs

(2021-01-11 15:10:53:763352): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
(2021-01-11 15:10:53:763401): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed]
(2021-01-11 15:10:53:763422): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed
(2021-01-11 15:10:53:763452): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed
(2021-01-11 15:10:53:763462): [sssd] [main] (0x0010): SSSD couldn't load the configuration database.
(2021-01-11 15:10:54:112640): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
(2021-01-11 15:10:54:112677): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed]
(2021-01-11 15:10:54:112690): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed
(2021-01-11 15:10:54:112718): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed
(2021-01-11 15:10:54:112728): [sssd] [main] (0x0010): SSSD couldn't load the configuration database.
(2021-01-11 15:10:54:364249): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
(2021-01-11 15:10:54:364302): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed]
(2021-01-11 15:10:54:364312): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed
(2021-01-11 15:10:54:364341): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed
(2021-01-11 15:10:54:364351): [sssd] [main] (0x0010): SSSD couldn't load the configuration database.
(2021-01-11 15:10:54:609571): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
(2021-01-11 15:10:54:609600): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed]
(2021-01-11 15:10:54:609609): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed
(2021-01-11 15:10:54:609636): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed
(2021-01-11 15:10:54:609645): [sssd] [main] (0x0010): SSSD couldn't load the configuration database.

Case 2:
Check debug_level = 2

1. remove log and restart the sssd

[root@ci-vm-10-0-153-189 sssd]# systemctl stop sssd; rm -rf /var/log/sssd/*; systemctl start sssd

[root@ci-vm-10-0-153-189 sssd]# kill -SIGUSR2 $(pidof sssd)

3. Check the corresponding logs,

[root@ci-vm-10-0-153-189 sssd]# ls
sssd_example1.log  sssd_implicit_files.log  sssd.log  sssd_nss.log  sssd_pam.log

[root@ci-vm-10-0-153-189 sssd]# cat sssd_example1.log 
(2021-01-11 15:17:15): [be[example1]] [server_setup] (0x0040): Starting with debug level = 0x0070
(2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-01-11 15:17:16): [be[example1]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured
(2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.5' from table
(2021-01-11 15:17:16): [be[example1]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-01-11 15:17:16): [be[example1]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured

[root@ci-vm-10-0-153-189 sssd]# cat sssd.log 
(2021-01-11 15:17:15): [sssd] [server_setup] (0x0040): Starting with debug level = 0x0070
(2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_implicit_5ffiles' from table
(2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_example1' from table
(2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.5' from table
(2021-01-11 15:17:16): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-01-11 15:17:41): [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf.

[root@ci-vm-10-0-153-189 sssd]# cat sssd_nss.log 
(2021-01-11 15:17:16): [nss] [server_setup] (0x0040): Starting with debug level = 0x0070

[root@ci-vm-10-0-153-189 sssd]# cat sssd_pam.log 
(2021-01-11 15:17:16): [pam] [server_setup] (0x0040): Starting with debug level = 0x0070
(2021-01-11 15:17:16): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.5' from table
(2021-01-11 15:17:16): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

[root@ci-vm-10-0-153-189 sssd]# cat sssd_implicit_files.log 
(2021-01-11 15:17:16): [be[implicit_files]] [server_setup] (0x0040): Starting with debug level = 0x0070
(2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_example1' from table
(2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.5' from table
(2021-01-11 15:17:16): [be[implicit_files]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

Comment 8 Alexey Tikhonov 2021-02-09 12:38:52 UTC

Additional issues was discovered: https://github.com/SSSD/sssd/pull/5489

Thus additional patch required:

Pushed PR: https://github.com/SSSD/sssd/pull/5489
* `master`
    * 2d26c95d78cf43798b54ac8c478b8a9ee41cab39 - ssh: restore default debug level

Comment 10 Madhuri 2021-02-18 05:33:13 UTC

Verified with:

[root@host1 sssd]# rpm -qa sssd
sssd-2.4.0-8.el8.x86_64

Case1:

[root@host1 sssd]# chmod 444 /etc/sssd/sssd.conf

[root@host1 sssd]# systemctl stop sssd; rm -rf /var/lib/sss/db/*; rm -rf /var/log/sssd/*; systemctl start sssd
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.

[root@host1 sssd]# ls
sssd.log

[root@host1 sssd]# cat sssd.log 
(2021-02-18  0:06:56:518379): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
(2021-02-18  0:06:56:518421): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed]
(2021-02-18  0:06:56:518438): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed
(2021-02-18  0:06:56:518462): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed
(2021-02-18  0:06:56:518469): [sssd] [main] (0x0010): SSSD couldn't load the configuration database.
(2021-02-18  0:06:56:807211): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
(2021-02-18  0:06:56:807236): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed]
(2021-02-18  0:06:56:807244): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed
(2021-02-18  0:06:56:807266): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed
(2021-02-18  0:06:56:807272): [sssd] [main] (0x0010): SSSD couldn't load the configuration database.
(2021-02-18  0:06:57:063668): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
(2021-02-18  0:06:57:063715): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed]
(2021-02-18  0:06:57:063728): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed
(2021-02-18  0:06:57:063769): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed
(2021-02-18  0:06:57:063781): [sssd] [main] (0x0010): SSSD couldn't load the configuration database.
(2021-02-18  0:06:57:309811): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
(2021-02-18  0:06:57:309848): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed]
(2021-02-18  0:06:57:309857): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed
(2021-02-18  0:06:57:309886): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed
(2021-02-18  0:06:57:309893): [sssd] [main] (0x0010): SSSD couldn't load the configuration database.
(2021-02-18  0:06:57:571007): [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
(2021-02-18  0:06:57:571046): [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158317]: [File ownership and permissions check failed]
(2021-02-18  0:06:57:571056): [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158317]: File ownership and permissions check failed
(2021-02-18  0:06:57:571087): [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158317]: File ownership and permissions check failed
(2021-02-18  0:06:57:571095): [sssd] [main] (0x0010): SSSD couldn't load the configuration database.


Case2:

[root@host1 sssd]# systemctl stop sssd; rm -rf /var/lib/sss/db/*; rm -rf /var/log/sssd/*; systemctl start sssd

[root@host1 sssd]#  kill -SIGUSR2 $(pidof sssd)

[root@host1 sssd]# ls
ldap_child.log  sssd_domain3ib0.com.log  sssd_implicit_files.log  sssd.log  sssd_nss.log  sssd_pam.log  sssd_ssh.log

[root@host1 sssd]# cat sssd_domain3ib0.com.log 
(2021-02-18  0:10:42): [be[domain3ib0.com]] [server_setup] (0x0040): Starting with debug level = 0x0070
(2021-02-18  0:10:52): [be[domain3ib0.com]] [child_sig_handler] (0x0020): child [40162] failed with status [2].
(2021-02-18  0:10:52): [be[domain3ib0.com]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(2021-02-18  0:10:52): [be[domain3ib0.com]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed
(2021-02-18  0:10:52): [be[domain3ib0.com]] [child_sig_handler] (0x0020): child [40166] failed with status [2].
(2021-02-18  0:10:52): [be[domain3ib0.com]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(2021-02-18  0:10:52): [be[domain3ib0.com]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed

[root@host1 sssd]# cat sssd_implicit_files.log 
(2021-02-18  0:10:42): [be[implicit_files]] [server_setup] (0x0040): Starting with debug level = 0x0070

[root@host1 sssd]# cat sssd.log 
(2021-02-18  0:10:42): [sssd] [server_setup] (0x0040): Starting with debug level = 0x0070
(2021-02-18  0:11:09): [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf.

[root@host1 sssd]# cat sssd_nss.log 
(2021-02-18  0:10:42): [nss] [server_setup] (0x0040): Starting with debug level = 0x0070

[root@host1 sssd]# cat sssd_pam.log 
(2021-02-18  0:10:42): [pam] [server_setup] (0x0040): Starting with debug level = 0x0070
(2021-02-18  0:10:43): [pam] [sss_certmap_init] (0x0040): sss_certmap initialized.

[root@host1 sssd]# cat sssd_ssh.log 
(2021-02-18  0:10:42): [ssh] [server_setup] (0x0040): Starting with debug level = 0x0070
[root@host1 sssd]# cat /etc/sssd/sssd.conf


Case 3:

[root@host1 sssd]# cat /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = domain3ib0.com

[nss]
filter_groups = root
filter_users = root
default_shell = /bin/bash
override_homedir = /home/%u

[domain/domain3ib0.com]
id_provider = ad
auth_provider = ad
ad_domain = domain3ib0.com
override_homedir = /home/%u
default_shell = /bin/bash
use_fully_qualified_names = True

[sssd]
services = nss, pam, ssh

Added following parameters in ssh_config
	GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
	PubkeyAuthentication yes
	ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h


Try to log in the user using key

reproduce with:
sssd-2.4.0-7.el8.x86_64

[root@host1 sssd]# ssh  -o GSSAPIAuthentication=no -o PasswordAuthentication=no -l testuser01-29558 localhost
(2021-02-17 11:55:49:181559): [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0040): sss_ssh_get_ent() failed (2): No such file or directory
testuser01-29558@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

[root@host1 ~]# echo $?
255


Verified with:
sssd-2.4.0-8.el8.x86_64

[root@host1 sssd]# ssh  -o GSSAPIAuthentication=no -o PasswordAuthentication=no -l testuser01-21606 localhost
testuser01-21606@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

[root@host1 sssd]# echo $?
255


Thus from above marking this bug as Verified.

Comment 12 errata-xmlrpc 2021-05-18 15:03:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666

Note You need to log in before you can comment on or make changes to this bug.