SSSD Troubleshooting

Debugging and troubleshooting

Here are some tips to help troubleshoot sssd.

debug_level

The debug level of sssd can be changed on-the-fly via sssctl, from the sssd-tools package:

sudo apt install sssd-tools
sssctl debug-level <new-level>

Or change add it to the config file and restart sssd:

[sssd]
config_file_version = 2
domains = example.com

[domain/example.com]
debug_level = 6
...

Either will yield more logs in /var/log/sssd/*.log and can help identify what is going on. The sssctl approach has the clear advantage of not having to restart the service.

Caching

Caching is useful to speed things up, but it can get in the way big time when troubleshooting. It’s useful to be able to remove the cache while chasing down a problem. This can also be done with the sssctl tool from the sssd-tools package.

You can either remove the whole cache:

# sssctl cache-remove
Creating backup of local data...
SSSD backup of local data already exists, override? (yes/no) [no] yes
Removing cache files...
SSSD= needs to be running. Start SSSD now? (yes/no) [yes] yes

Or just one element:

sssctl cache-expire -u john

Or expire everything:

sssctl cache-expire -E

DNS

Kerberos is quite sensitive to DNS issues. If you suspect something related to DNS, here are two suggestions:

FQDN hostname

Make sure hostname -f returns a fully qualified domain name. Set it in /etc/hostname if necessary, and use sudo resolvectl set-hostname <fqdn> to set it at runtime.

Reverse name lookup

You can try disabling a default reverse name lookup that the krb5 libraries do, by editing (or creating) /etc/krb5.conf and setting rdns = false in the [libdefaults] section:

[libdefaults]
rdns = false
1 Like