[Pkg-utopia-maintainers] Bug#1003620: realmd: don't explicitly enable services

Andreas Hasenack andreas at canonical.com
Wed Jan 12 18:27:05 GMT 2022 

Package: realmd
Version: 0.17.0-1
Severity: normal

Dear Maintainer,

in Debian and Ubuntu, sssd uses socket activation to start other
daemons as needed.

When realmd is used to join an Active Directory domain, by default
sssd is used. realmd will configure sssd with the following:
[sssd]
services = nss, pam

This services line tells sssd to also start the services for nss and
pam, but these are socket activated:
/lib/systemd/system/sssd-nss.socket
/lib/systemd/system/sssd-pam-priv.socket
/lib/systemd/system/sssd-pam.socket

When realmd finishes the join, and restarts sssd, we get these
warnings in the logs.
For NSS:
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2445]: [sssd] [main] (0x0070):
Misconfiguration found for the nss responder.
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2445]: The nss responder has
been configured to be socket-activated but it's still mentioned in the
services' line in /etc/sssd/sssd.conf.
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2445]: Please, consider either
adjusting your services' line in /etc/sssd/sssd.conf or disabling the
nss's socket by calling:
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2445]: "systemctl disable
sssd-nss.socket"
Jan 12 18:08:19 sid-realmd systemd[1]: sssd-nss.socket: Control
process exited, code=exited, status=17/n/a
Jan 12 18:08:19 sid-realmd systemd[1]: sssd-nss.socket: Failed with
result 'exit-code'.
Jan 12 18:08:19 sid-realmd systemd[1]: Failed to listen on SSSD NSS
Service responder socket.

For PAM:
Jan 12 18:08:19 sid-realmd systemd[1]: Starting SSSD PAM Service
responder socket...
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2446]: [sssd] [main] (0x0070):
Misconfiguration found for the pam responder.
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2446]: The pam responder has
been configured to be socket-activated but it's still mentioned in the
services' line in /etc/sssd/sssd.conf.
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2446]: Please, consider either
adjusting your services' line in /etc/sssd/sssd.conf or disabling the
pam's socket by calling:
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2446]: "systemctl disable
sssd-pam.socket"
Jan 12 18:08:19 sid-realmd systemd[1]: Starting SSSD SSH Service
responder socket...
Jan 12 18:08:19 sid-realmd systemd[1]: Starting SSSD Sudo Service
responder socket...
Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam-priv.socket: Control
process exited, code=exited, status=17/n/a
Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam-priv.socket: Failed
with result 'exit-code'.
Jan 12 18:08:19 sid-realmd systemd[1]: Failed to listen on SSSD PAM
Service responder private socket.
Jan 12 18:08:19 sid-realmd systemd[1]: Dependency failed for SSSD PAM
Service responder socket.
Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam.socket: Job
sssd-pam.socket/start failed with result 'dependency'.
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2449]: [sssd] [main] (0x0070):
Misconfiguration found for the pam responder.
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2449]: The pam responder has
been configured to be socket-activated but it's still mentioned in the
services' line in /etc/sssd/sssd.conf.
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2449]: Please, consider either
adjusting your services' line in /etc/sssd/sssd.conf or disabling the
pam's socket by calling:
Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam.socket: Killing
process 2449 (sssd_check_sock) with signal SIGKILL.
Jan 12 18:08:19 sid-realmd
sssd_check_socket_activated_responders[2449]: "systemctl disable
sssd-pam.socket"
Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam.socket: Control
process exited, code=exited, status=17/n/a
Jan 12 18:08:19 sid-realmd systemd[1]: sssd-pam.socket: Failed with
result 'exit-code'.
Jan 12 18:08:19 sid-realmd systemd[1]: Closed SSSD PAM Service responder socket.

There are not fatal, and the join process succeeds:
root at sid-realmd:~# kinit Administrator
Password for Administrator at INTERNAL.EXAMPLE.FAKE:

root at sid-realmd:~# realm join -v internal.example.fake
 * Resolving: _ldap._tcp.internal.example.fake
 * Performing LDAP DSE lookup on: 10.0.16.5
 * Successfully discovered: internal.example.fake
 (...)
 * Checking host/SID-REALMD
 *    Added host/SID-REALMD
 * Discovered which keytab salt to use
 * Added the entries to the keytab: SID-REALMD$@INTERNAL.EXAMPLE.FAKE:
FILE:/etc/krb5.keytab
 * Added the entries to the keytab:
host/SID-REALMD at INTERNAL.EXAMPLE.FAKE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab:
RestrictedKrbHost/SID-REALMD at INTERNAL.EXAMPLE.FAKE:
FILE:/etc/krb5.keytab
 ! Failed to update Kerberos configuration, not fatal, please check
manually: Setting attribute standard::type not supported
 * /usr/sbin/update-rc.d sssd enable
 * /usr/sbin/service sssd restart
 * Successfully enrolled machine in realm

But are unnecessary noise in the logs, and can confuse sysadmins on an
already difficult topic (AD authentication and authorization).

In Ubuntu, I created this patch which will not add the "services =
nss, pam" line to sssd.conf:

Description: Don't add the services line to sssd.conf
 In Ubuntu and Debian, the sssd services (like nss, pam, pac, etc) are socket
 activated and should not be listed in the services line, as they will be
 started on demand by systemd.
Author: Andreas Hasenack <andreas at canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1880157
Forwarded: not
Last-Update: 2020-09-03
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/service/realm-sssd-config.c
+++ b/service/realm-sssd-config.c
@@ -130,7 +130,6 @@
     gchar **already;
     gboolean ret;
     gchar *section;
-    const gchar *services[] = { "nss", "pam", NULL };
     va_list va;
     gint i;

@@ -155,7 +154,6 @@
     g_strfreev (already);

     /* Setup a default sssd section */
-    realm_ini_config_set_list_diff (config, "sssd", "services", ", ",
services, NULL);
     if (!realm_ini_config_have (config, "sssd", "config_file_version"))
         realm_ini_config_set (config, "sssd", "config_file_version",
"2", NULL);

--- a/tests/test-sssd-config.c
+++ b/tests/test-sssd-config.c
@@ -90,7 +90,7 @@
                  gconstpointer unused)
 {
     const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
-    const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one,
two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos
= 2\n";
+    const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one,
two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
     GError *error = NULL;
     gchar *output;
     gboolean ret;
@@ -140,7 +140,7 @@
 test_add_domain_only (Test *test,
                       gconstpointer unused)
 {
-    const gchar *check = "\n[sssd]\ndomains =
two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos
= 2\n";
+    const gchar *check = "\n[sssd]\ndomains =
two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
     GError *error = NULL;
     gchar *output;
     gboolean ret;


I sent this to the realmd mailing list here:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/JC3N3DBSMHZSA66IPLGAMBSXLCTYXWJR/

But didn't get the discussion I was hoping, only getting responses
against the socket activation mechanism.

I'm submitting it here for your consideration for the debian realmd
package, or maybe at least restart the upstream discussion about the
best way to do this configuration.

Thanks!

More information about the Pkg-utopia-maintainers mailing list