add sssd troubleshooting information

_toc.yml

@@ -89,6 +89,7 @@ chapters:
           - file: admin-guide/troubleshooting/selinux
           - file: admin-guide/troubleshooting/boot
           - file: admin-guide/troubleshooting/kerberos
+          - file: admin-guide/troubleshooting/sssd
 
   - file: infrastructure-guide/index
     sections:

admin-guide/troubleshooting/ssd.md

@@ -0,0 +1,68 @@
+# sssd Authentication
+
+## Check Domain State
+As `root` check what domains are configured:
+```
+# sssctl domain-list
+D.PSI.CH
+#
+```
+and then check their state:
+```
+# sssctl domain-status D.PSI.CH
+Online status: Offline
+
+Active servers:
+AD Global Catalog: not connected
+AD Domain Controller: dc01.D.PSI.CH
+
+Discovered AD Global Catalog servers:
+None so far.
+Discovered AD Domain Controller servers:
+- dc01.D.PSI.CH
+- dc02.D.PSI.CH
+- dc00.D.PSI.CH
+
+#
+```
+
+## Check User State
+```
+# sssctl user-checks buchel_k
+user: buchel_k
+action: acct
+service: system-auth
+
+SSSD nss user lookup result:
+ - user name: buchel_k
+ - user id: 44951
+ - group id: 710
+ - gecos: Bucheli Konrad
+ - home directory: /home/buchel_k
+ - shell: /bin/bash
+
+SSSD InfoPipe user lookup result:
+ - name: buchel_k
+ - uidNumber: 44951
+ - gidNumber: 710
+ - gecos: Bucheli Konrad
+ - homeDirectory: /afs/psi.ch/user/b/buchel_k
+ - loginShell: /bin/bash
+
+testing pam_acct_mgmt
+
+pam_acct_mgmt: Success
+
+PAM Environment:
+ - no env -
+#
+```
+
+## Extended Logging
+
+To get more logging messages you may raise the log level to 6, either permanently in Hiera with key `aaa::sssd_debuglevel` or temporary on the host itself with
+```
+sssctl debug-level 6
+```
+
+The logs are located in `/etc/log/sssd/`