Bug 988207
Summary: | sssd does not detail which line in configuration is invalid | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Stef Walter <stefw> | |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | |
Severity: | medium | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | high | |||
Version: | 7.0 | CC: | dpal, ebenes, grajaiya, jhrozek, Kevin.Fox, mkosek, mupadhye, mzidek, pbrezina, sgoveas | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.14.0-0.2.beta1.el7 | Doc Type: | Enhancement | |
Doc Text: |
SSSD configuration file validation
Previously, the System Security Services Daemon (SSSD) did not provide a tool to manually check the `/etc/sssd/sssd.conf` file. As a consequence, the administrator had to find the problem in the configuration file if the service failed to start. This update provides the "config-check" option of the "sssctl" command to locate problems in the configuration file. Additionally, SSSD automatically checks the validity of the configuration file after the service starts, and shows level 0 debug messages for incorrect settings.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1351252 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-04 07:09:27 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1290382 | |||
Bug Blocks: | 987491, 1292074, 1296125, 1313485, 1351252 |
Description
Stef Walter
2013-07-25 06:07:50 UTC
Yes, there's a missing 'services' line. But the log output should say that: sssd.conf ------------------------------------------- [sssd] domains = security.baseos.qe config_file_version = 2 [nss] default_shell = /bin/bash [domain/security.baseos.qe] ad_domain = security.baseos.qe krb5_realm = SECURITY.BASEOS.QE realmd_tags = cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u simple_allow_users = $ access_provider = simple With the default log level, sssd simply says "SSSD couldn't load the configuration database [22]: Invalid argument." which isn't very helpful. # systemctl status sssd.service sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) Active: failed (Result: exit-code) since Thu 2013-07-25 01:37:49 EDT; 12s ago Process: 20769 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4) Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe sssd[20769]: SSSD couldn't load the configuration database [22]: Invalid argument. Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: sssd.service: control process exited, code=exited status=4 Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Failed to start System Security Services Daemon. Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Unit sssd.service entered failed state. I agree, we should change this. Upstream ticket: https://fedorahosted.org/sssd/ticket/2028 For issues like this, where we don't start at all, please add both a DEBUG statement and sss_log statement. We should let the admin know failures to start just by looking at syslog. master: 8b2a31634764168183506925a4b9f461afdba6f3 c42ca36247022490ad65a33c453cb5e43900dbe9 Doc text looks good to me. Michal Tested with sssd-1.14.0-27.el7.x86_64 Steps followed during verification: 1) Install the sssd-tools package. 2) Create the sssd.conf. 3) Run sssctl config-check. config-check detects typos in option name (not value), typos in section name and misplaced options. Additionally the config-check also reports when something unexpected happens during configuration merging but does not check which option is missing. ------------------------------------------------------------- sssd.conf without any typos in option name and section name ------------------------------------------------------------- #cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LDAP [domain/LDAP] ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server ~]# sssctl config-check Issues identified by validators: 0 Messages generated during configuration merging: 0 Used configuration snippet files: 0 ------------------------------------------------- sssd.conf with typos in option name ------------------------------------------------- #cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LDAP [domain/LDAP] search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server ~]# sssctl config-check Issues identified by validators: 1 [rule/allowed_domain_options]: Attribute 'search_base' is not allowed in section 'domain/LDAP'. Check for typos. Messages generated during configuration merging: 0 Used configuration snippet files: 0 ------------------------------------------------ sssd.conf with typos in section name ------------------------------------------------ #cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LDAP [domain/LAP] search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server ~]# sssctl config-check (Fri Sep 2 11:40:43:603218 2016) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [LDAP] (Fri Sep 2 11:40:43:603339 2016) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [LDAP], skipping! (Fri Sep 2 11:40:43:603361 2016) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error! . ------------------------------------------------ sssd.conf with misplaced option ------------------------------------------------ #cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = LDAP [domain/LDAP] services = nss, pam search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server sssd]# sssctl config-check Issues identified by validators: 1 [rule/allowed_domain_options]: Attribute 'services' is not allowed in section 'domain/LDAP'. Check for typos. Messages generated during configuration merging: 0 Used configuration snippet files: 0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html |