[Pkg-freeipa-devel] Bug#1026008: freeipa-client: sssd-*.socket services should be deactivated on FreeIPA clients

Mathieu Baudier mbaudier at argeo.org
Tue Dec 13 07:24:09 GMT 2022


Package: freeipa-client
Version: 4.9.8-1+b3
Severity: normal

Dear Maintainer,

After installing freeipa-client, sssd is configured to activate certain
services in /etc/sssd/sssd.conf:

...
[sssd]
services = nss, pam, ssh, sudo
...

but the various sssd-*.socket socket-activated systemd services are
enabled by default:

# systemctl status sssd-*.socket

     Loaded: loaded (/lib/systemd/system/sssd-pam.socket; enabled;
preset: enabled)
     Loaded: loaded (/lib/systemd/system/sssd-ssh.socket; enabled;
preset: enabled)
     Loaded: loaded (/lib/systemd/system/sssd-pam-priv.socket; enabled;
preset: enabled)
     Loaded: loaded (/lib/systemd/system/sssd-pam.socket; enabled;
preset: enabled)
     Loaded: loaded (/lib/systemd/system/sssd-nss.socket; enabled;
preset: enabled)

which leads to errors in the journald log when booting:

Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD Sudo Service
responder socket.
Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD SSH Service
responder socket.
Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD PAM Service
responder private socket.
Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD NSS Service
responder socket.
Dec 13 06:25:14 systemd[1]: Dependency failed for SSSD PAM Service
responder socket.

each preceded by warnings (which are similar for all services):

Dec 13 06:24:23 sssd_check_socket_activated_responders[511]: The sudo
responder has been configured to be socket-activated but it's still
mentioned in the services' line in /etc/sssd/sssd.conf.
Dec 13 06:24:23 sssd_check_socket_activated_responders[511]: Please,
consider either adjusting your services' line in /etc/sssd/sssd.conf or
disabling the sudo's socket by calling:
Dec 13 06:24:23 sssd_check_socket_activated_responders[511]: "systemctl
disable sssd-sudo.socket"

Our action is to systematically disable these services:

# systemctl disable sssd-nss.socket
# systemctl disable sssd-pam.socket
# systemctl disable sssd-pam-priv.socket
# systemctl disable sssd-sudo.socket
# systemctl disable sssd-ssh.socket

which removes the error messages when booting, without affecting
operations.
(Tested over many months on bullseye/stable with the freeipa-client
from backports)

Please note, that on RHEL 8, these 5 socket-activated services are
disabled by default.

While this issue does not affect operations, it creates unnecessary
error notifications by each reboot, which are disturbing for system
administrators.

My suggestion would be to disable these services when the freeipa-
client package is installed.

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.0.0-5-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeipa-client depends on:
ii  bind9-dnsutils [dnsutils]    1:9.18.8-1
ii  bind9-utils                  1:9.18.8-1
ii  certmonger                   0.79.16-1+b1
ii  curl                         7.86.0-2
ii  freeipa-common               4.9.8-1
ii  krb5-user                    1.20.1-1
ii  libc6                        2.36-6
ii  libcom-err2                  1.46.6~rc1-1+b1
ii  libcurl4                     7.86.0-2
ii  libini-config5               0.6.2-1
ii  libjansson4                  2.14-2
ii  libk5crypto3                 1.20.1-1
ii  libkrb5-3                    1.20.1-1
ii  libldap-2.5-0                2.5.13+dfsg-2+b1
ii  libnss-sss                   2.8.1-1
ii  libnss3-tools                2:3.85-1
ii  libpam-sss                   2.8.1-1
ii  libpopt0                     1.19+dfsg-1
ii  libsasl2-modules-gssapi-mit  2.1.28+dfsg-10
ii  libssl3                      3.0.7-1
ii  libsss-sudo                  2.8.1-1
ii  oddjob-mkhomedir             0.34.7-1+b1
ii  python3                      3.10.6-1
ii  python3-dnspython            2.2.1-2
ii  python3-gssapi               1.8.2-1
ii  python3-ipaclient            4.9.8-1
ii  python3-ldap                 3.4.3-2+b1
ii  python3-sss                  2.8.1-1
ii  sssd                         2.8.1-1

Versions of packages freeipa-client recommends:
ii  chrony  4.3-1+b1

Versions of packages freeipa-client suggests:
pn  libpam-krb5  <none>

-- no debconf information



More information about the Pkg-freeipa-devel mailing list