我在 SUSE Linux 中安装了 SSSD 来管理 AD 访问。但由于某种原因,加入 AD 后 SSSD 未启动。
我几乎已经查阅了所有可用的文件。
有人可以指导一下这背后的原因是什么吗?
Virtualization: amazon
Operating System: SUSE Linux Enterprise Server 15 SP3
CPE OS Name: cpe:/o:suse:sles:15:sp3
Kernel: Linux 5.3.18-150300.59.170-default
Architecture: x86-64
SSSD 状态
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2024-08-20 17:47:40 UTC; 30min ago
Process: 944363 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=3)
Main PID: 944363 (code=exited, status=3)
Aug 20 17:47:40 systemd[1]: Starting System Security Services Daemon...
Aug 20 17:47:40 sssd[944363]: Starting up
Aug 20 17:47:40 systemd[1]: sssd.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
Aug 20 17:47:40 systemd[1]: sssd.service: Failed with result 'exit-code'.
Aug 20 17:47:40 systemd[1]: Failed to start System Security Services Daemon.
我尝试了下面文档中提供的修复方法。
例如,清除缓存、停止/启动服务、重新安装 SSSD、重启实例、权限检查等
请注意,我能够使用 realm join 命令加入 AD,没有任何错误。
已安装 SSSD 软件包
sssd-common-1.16.1-150300.23.43.1.x86_64
sssd-ad-1.16.1-150300.23.43.1.x86_64
sssd-1.16.1-150300.23.43.1.x86_64
sssd-ldap-1.16.1-150300.23.43.1.x86_64
sssd-common-32bit-1.16.1-150300.23.43.1.x86_64
sssd-krb5-common-1.16.1-150300.23.43.1.x86_64
sssd-tools-1.16.1-150300.23.43.1.x86_64
python3-sssd-config-1.16.1-150300.23.43.1.x86_64
尝试运行 SSSD 守护程序“sssd -d9 -i”时
(2024-08-20 18:30:45:189066): [sssd] [main] (0x0400): NSCD socket was detected and it seems to be configured not to interfere with SSSD's caching capabilities
(2024-08-20 18:30:45:189252): [sssd] [check_file] (0x0400): lstat for [/var/run/sssd.pid] failed: [2][No such file or directory].
(2024-08-20 18:30:45:190504): [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(2024-08-20 18:30:45:192925): [sssd] [sss_confdb_create_ldif] (0x0400): Processing config section [sssd]
(2024-08-20 18:30:45:193073): [sssd] [sss_confdb_create_ldif] (0x0400): Processing attribute [config_file_version]
(2024-08-20 18:30:45:193132): [sssd] [sss_confdb_create_ldif] (0x4000): config_file_version: 2
(2024-08-20 18:30:45:193191): [sssd] [sss_confdb_create_ldif] (0x0400): Processing attribute [services]
(2024-08-20 18:30:45:193246): [sssd] [sss_confdb_create_ldif] (0x4000): services: nss, pam
(2024-08-20 18:30:45:193298): [sssd] [sss_confdb_create_ldif] (0x0400): Processing attribute [domains]
(2024-08-20 18:30:45:200131): [sssd] [confdb_ensure_files_domain] (0x0100): The implicit files domain is disabled
(2024-08-20 18:30:45:200249): [sssd] [confdb_expand_app_domains] (0x2000): is not an app domain
(2024-08-20 18:30:45:200375): [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for []!
(2024-08-20 18:30:45:200426): [sssd] [confdb_get_domain_internal] (0x0400): Please note that when enumeration is disabled `getent passwd` does not return all users by design. See sssd.conf man page for more detailed information
(2024-08-20 18:30:45:200524): [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(2024-08-20 18:30:45:200662): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2024-08-20 18:30:45:200804): [sssd] [become_user] (0x0200): Already user [0].
(2024-08-20 18:30:45:201067): [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(2024-08-20 18:30:45): [sssd] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
(2024-08-20 18:30:45): [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for []!
(2024-08-20 18:30:45): [sssd] [confdb_get_domain_internal] (0x0400): Please note that when enumeration is disabled `getent passwd` does not return all users by design. See sssd.conf man page for more detailed information
(2024-08-20 18:30:45): [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(2024-08-20 18:30:45): [sssd] [snotify_watch] (0x2000): Opened inotify fd 0
(2024-08-20 18:30:45): [sssd] [snotify_watch] (0x2000): Opened file watch 1
(2024-08-20 18:30:45): [sssd] [snotify_watch] (0x2000): Opened directory watch 2
(2024-08-20 18:30:45): [sssd] [_snotify_create] (0x0400): Added a watch for /run/netconfig/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0
(2024-08-20 18:30:45): [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2024-08-20 18:30:45): [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2024-08-20 18:30:45): [sssd] [sysdb_domain_init_internal] (0x0200): DB File for : /var/lib/sss/db/cache_.ldb
(2024-08-20 18:30:45): [sssd] [sysdb_domain_init_internal] (0x0200): Timestamp file for : /var/lib/sss/db/timestamps_.ldb
(2024-08-20 18:30:45): [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse!
(2024-08-20 18:30:45): [sssd] [sbus_new_server] (0x0020): dbus_server_listen failed! (name=org.freedesktop.DBus.Error.AddressInUse, message=Failed to bindsocket "/var/lib/sss/pipes/private/sbus-monitor": Address already in use)
(2024-08-20 18:30:45): [sssd] [watch_ctx_destructor] (0x2000): Closing inotify fd 0
请帮忙。
SSSD 需要主动启动并运行
在加入 AD 之前。
在加入 AD 之前,/var/log/messages 中存在以下错误
Aug 21 11:36:34 sssd[1231272]: SSSD couldn't load the configuration database [2]: No such file or directory.
Aug 21 11:36:34 systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Aug 21 11:36:34 systemd[1]: sssd.service: Failed with result 'exit-code'.
Aug 21 11:36:34 systemd[1]: Failed to start System Security Services Daemon.
Aug 21 11:38:29 systemd[1]: Starting System Security Services Daemon...
Aug 21 11:38:29 sssd[1231736]: SSSD couldn't load the configuration database [2]: No such file or directory.
Aug 21 11:38:29 systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Aug 21 11:38:29 systemd[1]: sssd.service: Failed with result 'exit-code'.
Aug 21 11:38:29 systemd[1]: Failed to start System Security Services Daemon.
SSD 日志
(2024-08-19 17:58:39:605996): [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [DOMAIN.COM]
(2024-08-19 17:58:39:606017): [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [DOMAIN.COM], skipping!
(2024-08-19 17:58:39:606021): [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error!
(2024-08-19 17:58:39:606025): [sssd] [get_monitor_config] (0x0010): No domains configured.
(2024-08-19 17:58:39:606040): [sssd] [main] (0x0020): SSSD couldn't load the configuration database.
(2024-08-19 18:00:56:624274): [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [DOMAIN.COM]
(2024-08-19 18:00:56:624299): [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [DOMAIN.COM], skipping!
(2024-08-19 18:00:56:624305): [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error!
(2024-08-19 18:00:56:624310): [sssd] [get_monitor_config] (0x0010): No domains configured.
(2024-08-19 18:00:56:624327): [sssd] [main] (0x0020): SSSD couldn't load the configuration database.
(2024-08-19 18:06:32:560704): [sssd] [main] (0x0010): pidfile exists at /var/run/sssd.pid
(2024-08-21 11:33:08:242025): [sssd] [main] (0x0010): pidfile exists at /var/run/sssd.pid
(2024-08-21 11:36:34:780964): [sssd] [sss_confdb_create_ldif] (0x0020): Attribute 'domains' has empty value, ignoring
(2024-08-21 11:36:34:787373): [sssd] [confdb_expand_app_domains] (0x0010): No domains configured, fatal error!
(2024-08-21 11:36:34:787395): [sssd] [get_monitor_config] (0x0010): Failed to expand application domains
(2024-08-21 11:36:34:787427): [sssd] [get_monitor_config] (0x0010): No domains configured.
(2024-08-21 11:36:34:787456): [sssd] [main] (0x0020): SSSD couldn't load the configuration database.
(2024-08-21 11:38:29:802179): [sssd] [sss_confdb_create_ldif] (0x0020): Attribute 'domains' has empty value, ignoring
(2024-08-21 11:38:29:806933): [sssd] [confdb_expand_app_domains] (0x0010): No domains configured, fatal error!
(2024-08-21 11:38:29:806951): [sssd] [get_monitor_config] (0x0010): Failed to expand application domains
(2024-08-21 11:38:29:806989): [sssd] [get_monitor_config] (0x0010): No domains configured.
(2024-08-21 11:38:29:807013): [sssd] [main] (0x0020): SSSD couldn't load the configuration database.
文件夹权限
drwxr-xr-x 3 root root 62 Aug 21 11:35 sssd
文件权限
-rw------- 1 root root 1920 Aug 21 11:35 /etc/sssd/sssd.conf
加入 AD 之前的 SSSD 会议
[sssd]
config_file_version = 2
services = nss, pam
domains =
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP
[nss]
[pam]
# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]
; id_provider = ldap
; auth_provider = krb5
; chpass_provider = krb5
;
; ldap_uri = ldap://your.ad.example.com
; ldap_search_base = dc=example,dc=com
; ldap_schema = rfc2307bis
; ldap_sasl_mech = GSSAPI
; ldap_user_object_class = user
; ldap_group_object_class = group
; ldap_user_home_directory = unixHomeDirectory
; ldap_user_principal = userPrincipalName
; ldap_account_expire_policy = ad
; ldap_force_upper_case_realm = true
;
; krb5_server = your.ad.example.com
; krb5_realm = EXAMPLE.COM
6
–
–
/etc/sssd/sssd.conf到问题中。–
/etc/sssd由于所有权或权限不正确而导致的,因此 sssd 用户无法访问或写入该目录及其内容。–
–
|