Debugging sssd login: pam_sss [...] System error

Solution 1:

You need to add debug_level=10 into all sections in the sssd.conf file, restart sssd and re-run the login. Then look into /var/log/sssd. Also please read

Solution 2:

same problem on Ubuntu 20.04, adding

  • ad_gpo_ignore_unreadable = True
  • ad_gpo_access_control = permissive

solved issues that does not exist on Ubuntu 18.04 (same M$ AD and RFC_2307 attributes mapping)

Looks that default values have changed :

I still need to find correct settings to keep system secure

Solution 3:

Just wondered why some fresh Active Directory connected Linux (Debian 9) systems reported system error on su while some older did not show this behavior. Setting ad_gpo_access_control = permissive indeed made it work but the root cause was that the new systems have IP addresses in a subnet that was not recorded in Active Directory Sites and Services. Once the subnet was added and assigned to a site (give AD some time to replicate) the system error was no longer reported.