Package: realmd Version: 0.17.0-1 Severity: normal Dear Maintainer,
in Debian and Ubuntu, sssd uses socket activation to start other daemons as needed. When realmd is used to join an Active Directory domain, by default sssd is used. realmd will configure sssd with the following: [sssd] services = nss, pam This services line tells sssd to also start the services for nss and pam, but these are socket activated: /lib/systemd/system/sssd-nss.socket /lib/systemd/system/sssd-pam-priv.socket /lib/systemd/system/sssd-pam.socket When realmd finishes the join, and restarts sssd, we get these warnings in the logs. For NSS: Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2445]: [sssd] [main] (0x0070): Misconfiguration found for the nss responder. Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2445]: The nss responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf. Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2445]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the nss's socket by calling: Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2445]: "systemctl disable sssd-nss.socket" Jan 12 18:08:19 sid-realmd systemd[1]: sssd-nss.socket: Control process exited, code=exited, status=17/n/a Jan 12 18:08:19 sid-realmd systemd[1]: sssd-nss.socket: Failed with result 'exit-code'. Jan 12 18:08:19 sid-realmd systemd[1]: Failed to listen on SSSD NSS Service responder socket. For PAM: Jan 12 18:08:19 sid-realmd systemd[1]: Starting SSSD PAM Service responder socket... Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2446]: [sssd] [main] (0x0070): Misconfiguration found for the pam responder. Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2446]: The pam responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf. Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2446]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the pam's socket by calling: Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2446]: "systemctl disable sssd-pam.socket" Jan 12 18:08:19 sid-realmd systemd[1]: Starting SSSD SSH Service responder socket... Jan 12 18:08:19 sid-realmd systemd[1]: Starting SSSD Sudo Service responder socket... Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam-priv.socket: Control process exited, code=exited, status=17/n/a Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam-priv.socket: Failed with result 'exit-code'. Jan 12 18:08:19 sid-realmd systemd[1]: Failed to listen on SSSD PAM Service responder private socket. Jan 12 18:08:19 sid-realmd systemd[1]: Dependency failed for SSSD PAM Service responder socket. Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam.socket: Job sssd-pam.socket/start failed with result 'dependency'. Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2449]: [sssd] [main] (0x0070): Misconfiguration found for the pam responder. Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2449]: The pam responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf. Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2449]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the pam's socket by calling: Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam.socket: Killing process 2449 (sssd_check_sock) with signal SIGKILL. Jan 12 18:08:19 sid-realmd sssd_check_socket_activated_responders[2449]: "systemctl disable sssd-pam.socket" Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam.socket: Control process exited, code=exited, status=17/n/a Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam.socket: Failed with result 'exit-code'. Jan 12 18:08:19 sid-realmd systemd[1]: Closed SSSD PAM Service responder socket. There are not fatal, and the join process succeeds: root@sid-realmd:~# kinit Administrator Password for administra...@internal.example.fake: root@sid-realmd:~# realm join -v internal.example.fake * Resolving: _ldap._tcp.internal.example.fake * Performing LDAP DSE lookup on: 10.0.16.5 * Successfully discovered: internal.example.fake (...) * Checking host/SID-REALMD * Added host/SID-REALMD * Discovered which keytab salt to use * Added the entries to the keytab: SID-REALMD$@INTERNAL.EXAMPLE.FAKE: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/sid-rea...@internal.example.fake: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/sid-rea...@internal.example.fake: FILE:/etc/krb5.keytab ! Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported * /usr/sbin/update-rc.d sssd enable * /usr/sbin/service sssd restart * Successfully enrolled machine in realm But are unnecessary noise in the logs, and can confuse sysadmins on an already difficult topic (AD authentication and authorization). In Ubuntu, I created this patch which will not add the "services = nss, pam" line to sssd.conf: Description: Don't add the services line to sssd.conf In Ubuntu and Debian, the sssd services (like nss, pam, pac, etc) are socket activated and should not be listed in the services line, as they will be started on demand by systemd. Author: Andreas Hasenack <andr...@canonical.com> Bug-Ubuntu: https://bugs.launchpad.net/bugs/1880157 Forwarded: not Last-Update: 2020-09-03 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/service/realm-sssd-config.c +++ b/service/realm-sssd-config.c @@ -130,7 +130,6 @@ gchar **already; gboolean ret; gchar *section; - const gchar *services[] = { "nss", "pam", NULL }; va_list va; gint i; @@ -155,7 +154,6 @@ g_strfreev (already); /* Setup a default sssd section */ - realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL); if (!realm_ini_config_have (config, "sssd", "config_file_version")) realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL); --- a/tests/test-sssd-config.c +++ b/tests/test-sssd-config.c @@ -90,7 +90,7 @@ gconstpointer unused) { const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one"; - const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; + const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; GError *error = NULL; gchar *output; gboolean ret; @@ -140,7 +140,7 @@ test_add_domain_only (Test *test, gconstpointer unused) { - const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; + const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; GError *error = NULL; gchar *output; gboolean ret; I sent this to the realmd mailing list here: https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/thread/JC3N3DBSMHZSA66IPLGAMBSXLCTYXWJR/ But didn't get the discussion I was hoping, only getting responses against the socket activation mechanism. I'm submitting it here for your consideration for the debian realmd package, or maybe at least restart the upstream discussion about the best way to do this configuration. Thanks!
