Sssd.conf File Missing

Home » General » Sssd.conf File Missing
General 10 Comments

Hello –

Thank-you for your e-mail. I corrected the syntax in the file, and I have confirmed the permissions are correct:

-rw——-. 1 root root 266 Jun 23 08:45 sssd.conf

Unfortunately, the error condition and messages listed in my initial e-mail are still present.

From: l@avc.su [mailto:l@avc.su]
Sent: Thursday, June 23, 2016 8:34 AM
To: CentOS mailing list; Kaplan, Andrew H. Subject: Re: [CentOS] sssd.conf file missing

Hello Andrew.

The sssd.conf should be owned by root:root, mode 0600. Also please note this line in your config:

[.org]
enumate = true it’s enumerate, not enumate.

23.06.2016, 15:24, “Kaplan, Andrew H.” >:

Hello

10 thoughts on - Sssd.conf File Missing

  • OK, lets dig further.

    Does your sssd.conf have [sssd] section?
    Something like

    [sssd]
    debug_level = 4
    config_file_version = 2
    domains = your-domain-name-here

    If it’s not there, add it and modify the [your-domain-name-here] section so it’ll look like this:
    [domain/your-domain-name-here]

    23.06.2016, 15:51, “Kaplan, Andrew H.” :

  • Almost :)

    In [sssd]:
    not ‘domains = company/company.org’ but ‘domains = company.org’

    and the section with all your LDAP configs should be called [domain/company.org]

    ‘man sssd.conf’ has the basic conf example. Looking at my own conf, I’m seeing ‘services’ line under the [sssd] section. I thought it has default values, but apparently it doesnt. Let’s alter your conf so it’ll look like this:

    [domain/company.org]
    all-your-ldap-confs

    [sssd]
    debug_level = 4
    config_file_version = 2
    domains = company.org services = nss,pam

    [nss]
    debug_level = 1

    [pam]
    debug_level = 1

    Also you can debug interactively:
    sudo sssd -c /etc/sssd/sssd.conf -d2 -i It will throws all its logs to your console.

    By the way, I’ve noted this line in your initial email:
    authconfig –enablesssdauth –enablemkhomedir –enablesssd -update As far as I remember, ‘-update ‘ should have two dashes, ‘–update’. If you don’t see ‘sss’ in some lines in /etc/nsswitch.conf, you should re-run authconfig. But that’s part of other problem, I think.

    23.06.2016, 16:18, “Kaplan, Andrew H.” :

  • Kaplan, Andrew H. wrote:

    That *may* affect you later, when you try to NFS mount directories, or it may be confusing the issue. In any case, it *requires* editing.

    First, put in a Domain = .

    Then, make sure that Method = nsswitch is uncommented.

    Finally, and this is the part that leads me to think there may be an issue, comment out or delete *all* references in the UMICH_SCHEMA stanza.

    Then restart idmapd (on 7, I think it’s systemctl restart nfs-idmapd (or something like that). This is, as I noted, more for NFS, but the UMICH_SCHEMA being live in there, if idpad is running, makes me nervous.

    mark

  • Hello –

    I have made the changes to the nsswitch.conf file as suggested, and I have restarted idmapd service. I also ran the following command syntax as root to check the sssd configuration:

    sssd -c /etc/sssd/sssd.conf -d2 -i

    The output was as follows:

    sssd -c /etc/sssd/sssd.conf -d2 -i
    (Thu Jun 23 10:44:39:600097 2016) [sssd] [add_implicit_services] (0x0040): id_provider is not set for domain [.org], trying next domain.
    (Thu Jun 23 10:44:39:600411 2016) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [
    .org]
    (Thu Jun 23 10:44:39:600443 2016) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [
    .org], skipping!
    (Thu Jun 23 10:44:39:600452 2016) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error!
    (Thu Jun 23 10:44:39:600458 2016) [sssd] [get_monitor_config] (0x0010): No domains configured.
    (Thu Jun 23 10:44:39:600483 2016) [sssd] [main] (0x0020): SSSD couldn’t load the configuration database.

    The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.

  • Hello –

    I have made the following changes to the nsswitch.conf file as suggested by another mailing-list member:

    Domain = .org
    … Method = nsswitch

    and I have restarted idmapd service.

    I checked the nsswitch.conf file, and references to sss are mentioned in the following lines:

    passwd:
    shadow:
    group:
    … services:
    netgroup:
    … automount:

    I also ran the following command syntax as root to check the sssd configuration:

    sssd -c /etc/sssd/sssd.conf -d2 -i

    The output was as follows:

    sssd -c /etc/sssd/sssd.conf -d2 -i
    (Thu Jun 23 10:44:39:600097 2016) [sssd] [add_implicit_services] (0x0040): id_provider is not set for domain [.org], trying next domain.
    (Thu Jun 23 10:44:39:600411 2016) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [
    .org]
    (Thu Jun 23 10:44:39:600443 2016) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [
    .org], skipping!
    (Thu Jun 23 10:44:39:600452 2016) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error!
    (Thu Jun 23 10:44:39:600458 2016) [sssd] [get_monitor_config] (0x0010): No domains configured.
    (Thu Jun 23 10:44:39:600483 2016) [sssd] [main] (0x0020): SSSD couldn’t load the configuration database.

    The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.

  • In an AD environment, it’s important to point out that you typically can’t do “ldap authentication”. You can, but you’ll need a service account to do it, and none of the work you’ve described so far indicates that you’ve set one up.

    Instead of thinking about AD as LDAP, consider it a set of services that should be used together. Technically, you’ll use LDAP for identity and Kerberos for authentication, but you should think of AD as providing both identity and authentication.

    The easy way to use AD is to use the realm tool to set up integration:
    https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/realmd-domain.html

    The details of setting up AD manually are described in excruciating detail here:
    https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Windows_Integration_Guide/Red_Hat_Enterprise_Linux-7-Windows_Integration_Guide-en-US.pdf

    If you use realmd, you should not need to edit sssd.conf at all. If you decide to do things manually, I’d still recommend providing the complete configuration description to “authconfig” and allowing it to write sssd.conf for you.