Ocserv + ldap (sssd)

Description of problem:

I have ocserv 1.3.0 on debian 12 with 2fa and ldap auth for ldap I use AD and sssd for 2fa i use google-authenticator From time to time i receive from ocserv, that it cannot get sssd socket

Jul 17 17:48:15 ocserv---- [97018]: pam_sss(ocserv:auth): Request to sssd failed. Cannot get stat of SSSD socket.
Jul 17 17:48:15 ocserv--- ocserv[97018]: sec-mod: received request from pid 100222 and uid 0
Jul 17 17:48:15 ocserv-----ocserv[97018]: sec-mod: cmd [size=66] sm: auth cont
Jul 17 17:48:15 ocserv---- ocserv[97018]: sec-mod: auth cont for 'ad_user' (session: wCBUE/)
Jul 17 17:48:15 ocserv----- ocserv[97018]: PAM authenticate error for 'ad_user' Authentication service cannot retrieve authentication info

In strace i can see only this:

rt_sigprocmask(SIG_SETMASK, [HUP INT ALRM TERM], [HUP INT ALRM TERM], 8) = 0
getuid()                                = 0
newfstatat(AT_FDCWD, "/var/lib/sss/pipes/private/pam", 0x55b77a1423c0, 0) = -1 EACCES (Permission denied)
getpid()                                = 97018
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 14
connect(14, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
sendto(14, "<83>Jul 17 17:50:19 [97018]: pam"..., 106, MSG_NOSIGNAL, NULL, 0) = 106

Somehow it says permission denied

I've tried to change permissions - it do not allowed it I've tried with launching with root user for ocserv, without isolating workers. The same I've tried different configs and searched i think all the internet. I switched off apparmor and selinux

How can i fix that, help me please

sssd version is 2.8.2 these are my configs: sssd.conf:

[sssd]
debug_level = 0x0270
#debug_level = 9
reconnection_retries = 10
domains = ------
config_file_version = 2
#services = nss, pam

[domain/blackhub.games]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = False
krb5_realm = ------
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/------/%u
ad_domain = -----
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = disabled
krb5_validate = True
dyndns_update = false

I've tried with services line but no luck for krb.conf i added rdns=false

pam.d/ocserv:

#Use SSSD for authentication
auth    required pam_succeed_if.so user ingroup OpenConn_VPN
auth    requisite pam_google_authenticator.so secret=/home/my.domain/${USER}/.google_authenticator 
auth    required pam_sss.so
account required pam_sss.so

#Session setup
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
@include common-session

pam.d/common-auth:

auth	[success=2 default=ignore]	pam_unix.so nullok
auth	[success=1 default=ignore]	pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so

P.S. i've read this ones and made everything #506 (closed) #619 (closed)