Unable to start SSSD service in CoreOS

13,422 views
Skip to first unread message

Mirage74

unread,
Nov 8, 2016, 10:13:25 AM11/8/16
to CoreOS User

I have a CoreOS server, which i want to connect to my LDAP server (389). 


Here is my configuration file:

cat /etc/sssd/sssd.conf

    config_file_version = 2
    services = nss
    domains = LDAP
    [nss]
    [domain/LDAP]
    debug_level = 9
    id_provider = ldap
    auth_provider = ldap
    ldap_schema = ipa
    ldap_search_base = cn=admin-serv-ldap389_1,cn=ldap389_1.mydomain.co.il,ou=mydomain.co.il,o=NetscapeRoot
    ldap_uri = ldap://ldap389_1.mydomain.co.il:389/o=NetscapeRoot


Here is the error i get after trying to start SSSD service.

systemctl status sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib64/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2016-11-08 14:59:30 UTC; 11s ago
  Process: 14806 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4)

Nov 08 14:59:30 localhost systemd[1]: Starting System Security Services Daemon...
Nov 08 14:59:30 localhost systemd[1]: sssd.service: Control process exited, code=exited status=4
Nov 08 14:59:30 localhost systemd[1]: Failed to start System Security Services Daemon.
Nov 08 14:59:30 localhost systemd[1]: sssd.service: Unit entered failed state.
Nov 08 14:59:30 localhost systemd[1]: sssd.service: Failed with result 'exit-code'.


What could be the issue?

Kyle Brown

unread,
Nov 8, 2016, 2:09:25 PM11/8/16
to Mirage74, CoreOS User
Mirage,

I see that you already have debugging turned on and set to a verbose level. Have you looked at the logs of the sssd.service unit? May provide some additional insight.

$ journalctl -u sssd.service




--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Mirage74

unread,
Nov 9, 2016, 2:50:33 AM11/9/16
to CoreOS User, omriwo...@gmail.com
Hi Kyle,
That's what i got from the log file:

Nov 09 07:41:34 localhost systemd[1]: Starting System Security Services Daemon...
Nov 09 07:41:35 localhost sssd[777]: SSSD couldn't load the configuration database [22]: Invalid argument.
Nov 09 07:41:35 localhost systemd[1]: sssd.service: Control process exited, code=exited status=4
Nov 09 07:41:35 localhost systemd[1]: Failed to start System Security Services Daemon.
Nov 09 07:41:35 localhost systemd[1]: sssd.service: Unit entered failed state.
Nov 09 07:41:35 localhost systemd[1]: sssd.service: Failed with result 'exit-code'.

To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.

Ivan

unread,
Nov 9, 2016, 4:03:05 PM11/9/16
to CoreOS User, omriwo...@gmail.com
Adding [sssd] as a first line of sssd.conf file should fix "SSD couldn't load the configuration database" error.

Mirage74

unread,
Nov 10, 2016, 4:09:53 AM11/10/16
to CoreOS User
Thanks! 
The service now is running. However, i'm still not able to connect to the LDAP.

I'm trying to use ldapsearch in order to test the connection, and get:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I guess something is still wring with my configuration file.

Ivan

unread,
Nov 11, 2016, 3:45:45 PM11/11/16
to CoreOS User
The error "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)" means that LDAP server can not be reached. Either LDAP server is not listening on the port 389 or there are network issues.

Mirage74

unread,
Nov 11, 2016, 6:58:17 PM11/11/16
to CoreOS User
Now i get an answer for ldapsearch command. The issue was wrong parameters.
However, i still not able to login with ssh. although the parameters in the config file seems to be correct.

Do i need to config any additional things except for the sssd config file? Is there's way to know what is the issue with the ssh?

Mirage74

unread,
Nov 20, 2016, 9:46:21 AM11/20/16
to CoreOS User
I still have an issue with the LDAP in my CoreOS server. The SSSD service now is running, but i still not able to login with a domain user.

Here is the log file:
tail -f /var/log/sssd/sssd_LDAP.log

(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=my_user]
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [sdap_initgr_nested_send] (0x0100): User entry lacks original memberof ?
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: my_user
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: sshd
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: ssh
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: 
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost: 192.118.68.5
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 1
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 19113
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, <NULL>) [Success (Authentication failure)]
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [7][LDAP]
(Sun Nov 20 13:17:23 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [7][LDAP]

It seems like there is an issue the PAM configuration. Is there a recommended/Default PAM configuration in CoreOS?

Here is my sssd config file:
[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam, ssh
domains = LDAP
[pam]
[nss]
[domain/LDAP]
debug_level = 5
id_provider = ldap
auth_provider = ldap
ldap_schema = ipa
ldap_search_base = dc=walla,dc=co,dc=il
ldap_uri = ldap://ldap21v.walla.co.il
case_sensitive = false


Please advise.

Ivan

unread,
Dec 19, 2016, 7:52:27 PM12/19/16
to CoreOS User
From sssd-ldap5 man page, "LDAP back end supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel".
Reply all
Reply to author
Forward
0 new messages