[Pkg-freeipa-devel] Bug#1026008: freeipa-client: sssd-*.socket services should be deactivated on FreeIPA clients
Mathieu Baudier
mbaudier at argeo.org
Tue Dec 13 07:24:09 GMT 2022
Package: freeipa-client
Version: 4.9.8-1+b3
Severity: normal
Dear Maintainer,
After installing freeipa-client, sssd is configured to activate certain
services in /etc/sssd/sssd.conf:
...
[sssd]
services = nss, pam, ssh, sudo
...
but the various sssd-*.socket socket-activated systemd services are
enabled by default:
# systemctl status sssd-*.socket
Loaded: loaded (/lib/systemd/system/sssd-pam.socket; enabled;
preset: enabled)
Loaded: loaded (/lib/systemd/system/sssd-ssh.socket; enabled;
preset: enabled)
Loaded: loaded (/lib/systemd/system/sssd-pam-priv.socket; enabled;
preset: enabled)
Loaded: loaded (/lib/systemd/system/sssd-pam.socket; enabled;
preset: enabled)
Loaded: loaded (/lib/systemd/system/sssd-nss.socket; enabled;
preset: enabled)
which leads to errors in the journald log when booting:
Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD Sudo Service
responder socket.
Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD SSH Service
responder socket.
Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD PAM Service
responder private socket.
Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD NSS Service
responder socket.
Dec 13 06:25:14 systemd[1]: Dependency failed for SSSD PAM Service
responder socket.
each preceded by warnings (which are similar for all services):
Dec 13 06:24:23 sssd_check_socket_activated_responders[511]: The sudo
responder has been configured to be socket-activated but it's still
mentioned in the services' line in /etc/sssd/sssd.conf.
Dec 13 06:24:23 sssd_check_socket_activated_responders[511]: Please,
consider either adjusting your services' line in /etc/sssd/sssd.conf or
disabling the sudo's socket by calling:
Dec 13 06:24:23 sssd_check_socket_activated_responders[511]: "systemctl
disable sssd-sudo.socket"
Our action is to systematically disable these services:
# systemctl disable sssd-nss.socket
# systemctl disable sssd-pam.socket
# systemctl disable sssd-pam-priv.socket
# systemctl disable sssd-sudo.socket
# systemctl disable sssd-ssh.socket
which removes the error messages when booting, without affecting
operations.
(Tested over many months on bullseye/stable with the freeipa-client
from backports)
Please note, that on RHEL 8, these 5 socket-activated services are
disabled by default.
While this issue does not affect operations, it creates unnecessary
error notifications by each reboot, which are disturbing for system
administrators.
My suggestion would be to disable these services when the freeipa-
client package is installed.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-5-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages freeipa-client depends on:
ii bind9-dnsutils [dnsutils] 1:9.18.8-1
ii bind9-utils 1:9.18.8-1
ii certmonger 0.79.16-1+b1
ii curl 7.86.0-2
ii freeipa-common 4.9.8-1
ii krb5-user 1.20.1-1
ii libc6 2.36-6
ii libcom-err2 1.46.6~rc1-1+b1
ii libcurl4 7.86.0-2
ii libini-config5 0.6.2-1
ii libjansson4 2.14-2
ii libk5crypto3 1.20.1-1
ii libkrb5-3 1.20.1-1
ii libldap-2.5-0 2.5.13+dfsg-2+b1
ii libnss-sss 2.8.1-1
ii libnss3-tools 2:3.85-1
ii libpam-sss 2.8.1-1
ii libpopt0 1.19+dfsg-1
ii libsasl2-modules-gssapi-mit 2.1.28+dfsg-10
ii libssl3 3.0.7-1
ii libsss-sudo 2.8.1-1
ii oddjob-mkhomedir 0.34.7-1+b1
ii python3 3.10.6-1
ii python3-dnspython 2.2.1-2
ii python3-gssapi 1.8.2-1
ii python3-ipaclient 4.9.8-1
ii python3-ldap 3.4.3-2+b1
ii python3-sss 2.8.1-1
ii sssd 2.8.1-1
Versions of packages freeipa-client recommends:
ii chrony 4.3-1+b1
Versions of packages freeipa-client suggests:
pn libpam-krb5 <none>
-- no debconf information
More information about the Pkg-freeipa-devel
mailing list