Ubuntu
freeipa package

[SRU] default sssd.conf after ipa-client-install crashes sssd

Bug #1879083 reported by Harry Coin
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

Users of FreeIPA on 20.04 currently experience broken SSSD child-service sockets resulting in systemd labeling the system as degraded.

Original bug report:

Notice
ipa-client-install
creates /etc/sssd/sssd.conf
but changes in the sssd process's socket approach calls for that file to change
/etc/sssd.conf from
...
[sssd]
services = nss, pam, ssh, sud
...
to
[sssd]
#services = nss, pam, ssh, sud
otherwise the sssd service either won't start or complains.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: freeipa-client 4.8.6-1ubuntu2
ProcVersionSignature: Ubuntu 5.4.0-29.33-generic 5.4.30
Uname: Linux 5.4.0-29-generic x86_64
ApportVersion: 2.20.11-0ubuntu27
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: MATE
Date: Sat May 16 12:51:21 2020
InstallationDate: Installed on 2020-05-13 (2 days ago)
InstallationMedia: Ubuntu-MATE 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)

[Test Plan]

Run the unpatched ipa-client-install, reboot the host, and observe numerous sssd child-service socket errors.

Once the patch is applied, run the patched ipa-client install, reboot the host, and ensure there are no sssd-related service failures.

[Where problems could occur]
The potential problems here are low given that this patch has now been applied for about 17 months. The affected services are currently crashing today so no one is depending on the (broken) present behavior.

[Other Info]

This bug was fixed in groovy at this patch: https://git.launchpad.net/ubuntu/+source/freeipa/commit/?h=applied/ubuntu/groovy&id=2711b62a915961c8f76903846953828c2e6c7bb1

See original description
Revision history for this message
Harry Coin (hcoin) wrote :
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

complains how?

Changed in freeipa (Ubuntu):
status: New → Incomplete
Revision history for this message
Harry Coin (hcoin) wrote :
Download full text (10.9 KiB)

With the line not commented, upon each and every startup in all cases one sees this:

May 19 11:37:25 email1 systemd[1]: Starting SSSD NSS Service responder socket.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72216]: (Tue May 19 11:37:12:251510 2020) [sssd] [main] (0x0010): Misconfiguration found for the nss responder.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72216]: The nss responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72216]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the nss's socket by calling:
May 19 11:37:25 email1 sssd[pac]: Starting up
May 19 11:37:25 email1 systemd[1]: Starting SSSD PAM Service responder private socket.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72216]: "systemctl disable sssd-nss.socket"
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72218]: (Tue May 19 11:37:12:022884 2020) [sssd] [main] (0x0010): Misconfiguration found for the pam responder.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72218]: The pam responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72218]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the pam's socket by calling:
May 19 11:37:25 email1 sssd[ssh]: Starting up
May 19 11:37:25 email1 systemd[1]: sssd-pam-priv.socket: Control process exited, code=exited, status=17/n/a
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72218]: "systemctl disable sssd-pam.socket"
May 19 11:37:25 email1 sssd[pam]: Starting up
May 19 11:37:25 email1 systemd[1]: sssd-pam-priv.socket: Failed with result 'exit-code'.
May 19 11:37:25 email1 sssd[sudo]: Starting up
May 19 11:37:25 email1 systemd[1]: Failed to listen on SSSD PAM Service responder private socket.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72224]: (Tue May 19 11:37:13:424695 2020) [sssd] [main] (0x0010): Misconfiguration found for the sudo responder.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72224]: The sudo responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72224]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the sudo's socket by calling:
May 19 11:37:25 email1 systemd[1]: Dependency failed for SSSD PAM Service responder socket.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72224]: "systemctl disable sssd-sudo.socket"
May 19 11:37:25 email1 systemd[1]: sssd-pam.socket: Job sssd-pam.socket/start failed with result 'dependency'.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72221]: (Tue May 19 11:37:13:671260 2020) [sssd] [main] (0x0010): Misconfiguration found for the ssh responder.
May 19 11:37:25 email1 sssd_check_socket_activated_responders[72221]: The ...

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for freeipa (Ubuntu) because there has been no activity for 60 days.]

Changed in freeipa (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Nick DeMarco (ndemarco) wrote :

Installing FreeIPA's client tool (ipa-client-install) on 20.04 gives the same result as the reporter submitted.

Commenting out the SSSD line in /etc/sssd/sssd.conf resolves the issue - which slows startup.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

yes, the ipa sssd.conf template needs to be changed to not include this line

how does it make the startup slower?

Changed in freeipa (Ubuntu):
status: Expired → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freeipa - 4.8.6-1ubuntu3

---------------
freeipa (4.8.6-1ubuntu3) groovy; urgency=medium

  * fix-chrony-service-name.diff: Map to correct chrony service name.
    (LP: #1890786)
  * fix-sssd-socket-activation.diff: Don't add a 'services =' line on
    sssd.conf. (LP: #1879083)

 -- Timo Aaltonen <email address hidden> Fri, 16 Oct 2020 10:34:47 +0300

Changed in freeipa (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
David Baucum (maxolasersquad) wrote :

Any chance of getting this fixed released for Ubuntu 12.04? It is still on package 4.8.6-1ubuntu2.

Brian Turek (brian-turek)
summary: - default sssd.conf after ipa-client-install crashes sssd
+ [SRU] default sssd.conf after ipa-client-install crashes sssd
Revision history for this message
Brian Turek (brian-turek) wrote :

This is still affecting Ubuntu 20.04(.4), would it be possible to get this patch backported to Focal as a SRU?

description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.