[Pkg-sssd-devel] Bug#886483: Bug#886483: sssd gets confused by existing config file

Timo Aaltonen tjaalton at debian.org
Mon Jan 8 08:50:55 UTC 2018 

Severity: grave
thanks

On 06.01.2018 17:07, Juha Jäykkä wrote:
> Package: sssd
> Version: 1.16.0-3
> Severity: minor
> 
> Dear Maintainer,
> 
> There is a regression in 1.16.0-2 and -3, rendering existing sssd configurations
> unable to authenticate users. This happens if the old config file has 
> 
> services = nss, pam
> 
> in it. This used to be "the right way" of doing things but now with socket activated
> nss and pam services sssd gets confused and its pam service no longer works. Removing
> said line fixes it (hence "Severity: minor") but this is highly confusign to the admin
> as the service seems to be up and running.
> 
> The clue is in the log:
> 
> Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: (Sat Jan  6 14:50:47:876645 2018) [sssd] [main] (0x0010): Misconfiguration found for the pam responder.
> Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: The pam responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf.
> Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the pam's socket by calling:
> Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: "systemctl disable sssd-pam.socket"
> Jan 06 14:50:47 rigel systemd[1]: sssd-pam-priv.socket: Control process exited, code=exited status=17
> Jan 06 14:50:47 rigel systemd[1]: sssd-pam-priv.socket: Failed with result 'exit-code'.
> Jan 06 14:50:47 rigel systemd[1]: Failed to listen on SSSD PAM Service responder private socket.
> Jan 06 14:50:47 rigel systemd[1]: Dependency failed for SSSD PAM Service responder socket.
> Jan 06 14:50:47 rigel systemd[1]: sssd-pam.socket: Job sssd-pam.socket/start failed with result 'dependency'.
> Jan 06 14:50:47 rigel systemd[1]: Listening on SSSD NSS Service responder socket.
> 
> Note how the log says "please consider" instead of "this is an error, this will not work" and
> later shows a failure.
> 
> From the first "please consider" message I would presume sssd is supposed to gracefully
> recover. The service seems to start when needed and responds to some queries but always ends
> auth process with
> 
> [sssd[pam]] [pam_dp_process_reply] (0x0010): Reply error.
> 
> And this means auth failure for pam of course.
> 
> Cheers,
> Juha
> 
> P.S. This may be "works as intended" but considering it took me quite a while to figure
> out why my existing, working configuration got broken and google came up with no help at all,
> I would think at least getting this report onto google results would be helpful to some people.

Bumping severity, this can't migrate to testing..


-- 
t

More information about the Pkg-sssd-devel mailing list