Debugging sssd login: pam_sss [...] System error

Solution 1:

You need to add debug_level=10 into all sections in the sssd.conf file, restart sssd and re-run the login. Then look into /var/log/sssd. Also please read https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

Solution 2:

same problem on Ubuntu 20.04, adding

• ad_gpo_ignore_unreadable = True
• ad_gpo_access_control = permissive

solved issues that does not exist on Ubuntu 18.04 (same M$ AD and RFC_2307 attributes mapping)

Looks that default values have changed : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo

I still need to find correct settings to keep system secure

---

Solution 3:

Just wondered why some fresh Active Directory connected Linux (Debian 9) systems reported system error on su while some older did not show this behavior. Setting ad_gpo_access_control = permissive indeed made it work but the root cause was that the new systems have IP addresses in a subnet that was not recorded in Active Directory Sites and Services. Once the subnet was added and assigned to a site (give AD some time to replicate) the system error was no longer reported.