Bug 1897205
| Summary: | SSSD fails to start when run as non-root user | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Amith <apeetham> |
| Component: | sssd | Assignee: | sssd-maintainers <sssd-maintainers> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 33 | CC: | abokovoy, atikhono, jhrozek, lslebodn, mzidek, pbrezina, rharwood, sbose, ssorce, sssd-maintainers |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-01-20 08:20:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, 1) I would expect 0x0040 level message from `sss_user_by_name_or_uid()` in the log. Does sssd.conf correspond log provided? (I don't see `debug_microseconds` enabled in sssd.conf, but microseconds are in the log.) 2) could you please provide output of `id sssd` on this system? (In reply to Alexey Tikhonov from comment #1) > Hi, > > 1) I would expect 0x0040 level message from `sss_user_by_name_or_uid()` in > the log. With debug_level = 0x0040 set in SSSD section, i could get only the following data from sssd.log file: # cat sssd.log (2020-11-19 6:37:18:819963): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-19 6:37:18:820023): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-19 6:37:18:820062): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-19 6:37:18:996977): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-19 6:37:18:997013): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-19 6:37:18:997051): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-19 6:37:19:232383): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-19 6:37:19:232440): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-19 6:37:19:232487): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-19 6:37:19:491074): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-19 6:37:19:491112): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-19 6:37:19:491147): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-19 6:37:19:743258): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-19 6:37:19:743302): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-19 6:37:19:743351): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. here is the sssd.conf settings: # cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, ifp debug_level = 0x0040 user = sssd [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [ifp] allowed_uids = root user_attributes = +mail, +givenname, +sn debug_level = 0x0040 > > Does sssd.conf correspond log provided? (I don't see `debug_microseconds` > enabled in sssd.conf, but microseconds are in the log.) > > 2) could you please provide output of `id sssd` on this system? In the case of RHEL-8.4.0, "sssd" user gets created automatically. Here is the sssd rpm version and id command output: # rpm -q sssd sssd-2.3.0-9.el8.x86_64 # id sssd uid=996(sssd) gid=993(sssd) groups=993(sssd) In the case of Fedora-33, "sssd" user is not created at all. # rpm -q sssd sssd-2.4.0-2.fc33.x86_64 # id sssd id: ‘sssd’: no such user (In reply to Amith from comment #2) > > > > 2) could you please provide output of `id sssd` on this system? > > In the case of RHEL-8.4.0, "sssd" user gets created automatically. On RHEL corresponding user and group are created during package installation via `%pre` section in spec-file. > In the case of Fedora-33, "sssd" user is not created at all. Spec-file in Fedora is different and doesn't create those user/group. So please either create user/group manually and close this BZ as "notabug" or convert this BZ to RFE (but I'm not sure if it makes much sense). Closing this bug based on the comment #2. |
Description of problem: SSSD service fails to restart, when "user = sssd" is set in SSSD.CONF, we don't see this behaviour in downstream RHEL-8.3 / RHEL-8.4 systems. Version-Release number of selected component (if applicable): sssd-2.4.0-2.fc33.x86_64 libsss_simpleifp-2.4.0-2.fc33.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure sssd.conf as follows: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, ifp debug_level = 0xFFF0 user = sssd [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [ifp] allowed_uids = root user_attributes = +mail, +givenname, +sn debug_level = 0xFFF0 2. Restart SSSD service, it fails with error. # systemctl restart sssd; systemctl status sssd Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Thu 2020-11-12 20:27:20 IST; 10ms ago Process: 6678 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4) Main PID: 6678 (code=exited, status=4) CPU: 15ms Nov 12 20:27:20 mojito.redhat.com systemd[1]: Failed to start System Security Services Daemon. 3. Below is the sssd.log contents, logged right after service restart: (2020-11-12 20:27:20): [sssd] [monitor_quit_signal] (0x2000): Received shutdown command (2020-11-12 20:27:20): [sssd] [monitor_quit_signal] (0x0040): Monitor received Terminated: terminating children (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0040): Returned with: 0 (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Terminating [ifp][6526] (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Child [ifp] exited gracefully (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Terminating [pam][6525] (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Child [pam] terminated with a signal (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Terminating [nss][6524] (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Terminating [implicit_files][6523] (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Child [implicit_files] exited gracefully (2020-11-12 20:27:20): [sssd] [watch_ctx_destructor] (0x2000): Closing inotify fd 0 (2020-11-12 20:27:20:592247): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-12 20:27:20:592289): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-12 20:27:20:592325): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-12 20:27:20:860946): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-12 20:27:20:861023): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-12 20:27:20:861077): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-12 20:27:21:099530): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-12 20:27:21:099570): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-12 20:27:21:099609): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-12 20:27:21:354551): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-12 20:27:21:354631): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-12 20:27:21:354678): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-12 20:27:21:596433): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-12 20:27:21:596565): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-12 20:27:21:596672): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. Actual results: SSSD fails to restart. Expected results: Like rhel-8.4, sssd service should restart without issues. Additional info: