Bug 988207

Summary: sssd does not detail which line in configuration is invalid
Product: Red Hat Enterprise Linux 7 Reporter: Stef Walter <stefw>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.0CC: dpal, ebenes, grajaiya, jhrozek, Kevin.Fox, mkosek, mupadhye, mzidek, pbrezina, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-0.2.beta1.el7 Doc Type: Enhancement
Doc Text:
SSSD configuration file validation Previously, the System Security Services Daemon (SSSD) did not provide a tool to manually check the `/etc/sssd/sssd.conf` file. As a consequence, the administrator had to find the problem in the configuration file if the service failed to start. This update provides the "config-check" option of the "sssctl" command to locate problems in the configuration file. Additionally, SSSD automatically checks the validity of the configuration file after the service starts, and shows level 0 debug messages for incorrect settings.
 Story Points: ---
Clone Of:
: 1351252 (view as bug list) Environment:
Last Closed: 2016-11-04 07:09:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1290382    
Bug Blocks: 987491, 1292074, 1296125, 1313485, 1351252    

Description Stef Walter 2013-07-25 06:07:50 UTC 
If I create an sssd.conf with the following contents, then on startup sssd just complains about "Invalid Argument" rather than saying what config line is wrong in the logs (such as systemctl status output).
Comment 1 Stef Walter 2013-07-25 06:08:20 UTC 
Yes, there's a missing 'services' line. But the log output should say that:

sssd.conf -------------------------------------------

[sssd]
domains = security.baseos.qe
config_file_version = 2

[nss]
default_shell = /bin/bash

[domain/security.baseos.qe]
ad_domain = security.baseos.qe
krb5_realm = SECURITY.BASEOS.QE
realmd_tags = 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
simple_allow_users = $
access_provider = simple
Comment 2 Stef Walter 2013-07-25 06:09:11 UTC 
With the default log level, sssd simply says "SSSD couldn't load the configuration database [22]: Invalid argument." which isn't very helpful.

# systemctl status sssd.service
sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
   Active: failed (Result: exit-code) since Thu 2013-07-25 01:37:49 EDT; 12s ago
  Process: 20769 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4)

Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe sssd[20769]: SSSD couldn't load the configuration database [22]: Invalid argument.
Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: sssd.service: control process exited, code=exited status=4
Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Failed to start System Security Services Daemon.
Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Unit sssd.service entered failed state.
Comment 4 Pavel Březina 2013-07-25 07:13:08 UTC 
I agree, we should change this.
Comment 5 Pavel Březina 2013-07-25 07:54:08 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2028
Comment 6 Jakub Hrozek 2013-07-25 07:58:53 UTC 
For issues like this, where we don't start at all, please add both a DEBUG statement and sss_log statement. We should let the admin know failures to start just by looking at syslog.
Comment 8 Jakub Hrozek 2016-06-27 20:32:16 UTC 
master:
    8b2a31634764168183506925a4b9f461afdba6f3
    c42ca36247022490ad65a33c453cb5e43900dbe9
Comment 13 Michal Zidek 2016-07-19 09:37:14 UTC 
Doc text looks good to me.

Michal
Comment 14 Madhuri 2016-09-06 09:48:32 UTC 
Tested with sssd-1.14.0-27.el7.x86_64

Steps followed during verification:
1) Install the sssd-tools package.
2) Create the sssd.conf.
3) Run sssctl config-check.

config-check detects typos in option name (not value), typos in section name and misplaced options.
Additionally the config-check also reports when something unexpected happens during configuration merging but does not check which option is missing.

-------------------------------------------------------------
sssd.conf without any typos in option name and section name
-------------------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 0

-------------------------------------------------
sssd.conf with typos in option name
-------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'search_base' is not allowed in section 'domain/LDAP'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0

------------------------------------------------
sssd.conf with typos in section name
------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LAP]
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
(Fri Sep  2 11:40:43:603218 2016) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [LDAP]
(Fri Sep  2 11:40:43:603339 2016) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [LDAP], skipping!
(Fri Sep  2 11:40:43:603361 2016) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error!
.
------------------------------------------------
sssd.conf with misplaced option
------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = LDAP

[domain/LDAP]
services = nss, pam
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server sssd]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'services' is not allowed in section 'domain/LDAP'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0
Comment 16 errata-xmlrpc 2016-11-04 07:09:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html