Description of problem: While following the Fedora release validation tests for Fedora Server as an AD client[1], I discovered that `getent passwd Administrator@domain` was failing. After investigation, I realized that this was because the sssd_nss and sssd_pam responders were not started with SSSD. Version-Release number of selected component (if applicable): sssd-1.15.2-2.fc26 realmd-0.16.3-4.fc26 How reproducible: Only tried on a single machine, but unenrolling and re-enrolling with realmd produces the same result each time. Steps to Reproduce: 1. Download the latest Fedora Server prerelease image (see [1]) 2. Install Fedora Server with all the usual defaults (setting the hostname to something other than 'localhost.localdomain') 3. Using either realmd directly or the Cockpit UI (which I did), enroll with a 4. Sign into the system via a shell and run `getent passwd Administrator` (substituting the appropriate value for "domain.name") Actual results: No results returned Expected results: User information about the "Administrator" user in Active Directory should be returned. Additional info: [1] https://fedoraproject.org/wiki/Test_Results:Fedora_26_Branched_20170420.n.0_Server#Domain_joining_tests:_Active_Directory
Proposing as a Beta Blocker under the criterion: "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain."
sssd works well with enabled sockets sh# systemctl status --lines=0 sssd sssd-{nss,pam}.{socket,service} ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: Drop-In: /etc/systemd/system/sssd.service.d └─journal.conf Active: inactive (dead) since Mon 2017-04-24 21:57:35 CEST; 30s ago Process: 12884 ExecStart=/usr/sbin/sssd -i -f (code=exited, status=0/SUCCESS) Main PID: 12884 (code=exited, status=0/SUCCESS) CPU: 76ms ● sssd-nss.socket - SSSD NSS Service responder socket Loaded: loaded (/usr/lib/systemd/system/sssd-nss.socket; disabled; vendor pre Active: inactive (dead) Docs: man:sssd.conf(5) Listen: /var/lib/sss/pipes/nss (Stream) ● sssd-nss.service - SSSD NSS Service responder Loaded: loaded (/usr/lib/systemd/system/sssd-nss.service; indirect; vendor pr Active: inactive (dead) Docs: man:sssd.conf(5) ● sssd-pam.socket - SSSD PAM Service responder socket Loaded: loaded (/usr/lib/systemd/system/sssd-pam.socket; disabled; vendor pre Active: inactive (dead) Docs: man:sssd.conf(5) Listen: /var/lib/sss/pipes/pam (Stream) ● sssd-pam.service - SSSD PAM Service responder Loaded: loaded (/usr/lib/systemd/system/sssd-pam.service; indirect; vendor pr Active: inactive (dead) Docs: man:sssd.conf(5) sh# systemctl start sssd-nss.socket sssd-pam.socket sh# systemctl status --lines=0 sssd sssd-{nss,pam}.{socket,service} ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: Drop-In: /etc/systemd/system/sssd.service.d └─journal.conf Active: active (running) since Mon 2017-04-24 21:59:03 CEST; 1s ago Main PID: 13062 (sssd) Tasks: 2 (limit: 4915) Memory: 3.9M CPU: 35ms CGroup: /system.slice/sssd.service ├─13062 /usr/sbin/sssd -i -f └─13073 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 ● sssd-nss.socket - SSSD NSS Service responder socket Loaded: loaded (/usr/lib/systemd/system/sssd-nss.socket; disabled; vendor pre Active: active (listening) since Mon 2017-04-24 21:59:03 CEST; 1s ago Docs: man:sssd.conf(5) Listen: /var/lib/sss/pipes/nss (Stream) Process: 13081 ExecStartPre=/usr/libexec/sssd/sssd_check_socket_activated_resp Tasks: 0 (limit: 4915) Memory: 84.0K CPU: 6ms CGroup: /system.slice/sssd-nss.socket ● sssd-nss.service - SSSD NSS Service responder Loaded: loaded (/usr/lib/systemd/system/sssd-nss.service; indirect; vendor pr Active: inactive (dead) Docs: man:sssd.conf(5) ● sssd-pam.socket - SSSD PAM Service responder socket Loaded: loaded (/usr/lib/systemd/system/sssd-pam.socket; disabled; vendor pre Active: active (listening) since Mon 2017-04-24 21:59:03 CEST; 1s ago Docs: man:sssd.conf(5) Listen: /var/lib/sss/pipes/pam (Stream) Process: 13090 ExecStartPre=/usr/libexec/sssd/sssd_check_socket_activated_resp Tasks: 0 (limit: 4915) Memory: 116.0K CPU: 5ms CGroup: /system.slice/sssd-pam.socket ● sssd-pam.service - SSSD PAM Service responder Loaded: loaded (/usr/lib/systemd/system/sssd-pam.service; indirect; vendor pr Active: inactive (dead) Docs: man:sssd.conf(5) sh# getent passwd lslebodn lslebodn:*:740728:740728:Lukas Slebodnik:/home/lslebodn:/bin/bash sh$ ssh lslebodn@localhost lslebodn@localhost's password: Last failed login: Mon Apr 24 21:49:40 CEST 2017 from ::1 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Wed Apr 12 17:15:37 2017 -bash-4.4$ logout Connection to localhost closed. sh# systemctl status --lines=0 sssd.service sssd-nss.service sssd-pam.service ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: Drop-In: /etc/systemd/system/sssd.service.d └─devel.conf, journal.conf, network.conf, valgrind.conf Active: active (running) since Mon 2017-04-24 21:52:34 CEST; 2min 50s ago Main PID: 12884 (sssd) Tasks: 2 (limit: 4915) Memory: 4.6M CPU: 72ms CGroup: /system.slice/sssd.service ├─12884 /usr/sbin/sssd -i -f └─12897 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 ● sssd-nss.service - SSSD NSS Service responder Loaded: loaded (/usr/lib/systemd/system/sssd-nss.service; indirect; vendor pr Active: active (running) since Mon 2017-04-24 21:54:22 CEST; 1min 2s ago Docs: man:sssd.conf(5) Main PID: 12945 (sssd_nss) Tasks: 1 (limit: 4915) Memory: 25.7M CPU: 24ms CGroup: /system.slice/sssd-nss.service └─12945 /usr/libexec/sssd/sssd_nss --debug-to-files --socket-activate ● sssd-pam.service - SSSD PAM Service responder Loaded: loaded (/usr/lib/systemd/system/sssd-pam.service; indirect; vendor pr Active: active (running) since Mon 2017-04-24 21:55:00 CEST; 25s ago Docs: man:sssd.conf(5) Process: 12999 ExecStartPre=/bin/chown root:root /var/log/sssd/sssd_pam.log (c Main PID: 13010 (sssd_pam) Tasks: 1 (limit: 4915) Memory: 1.7M CPU: 12ms CGroup: /system.slice/sssd-pam.service └─13010 /usr/libexec/sssd/sssd_pam --debug-to-files --socket-activate
I tested with "services =" and with missing "services" in domain section of sssd.conf. And very important information is: sh$ rpm -q selinux-policy selinux-policy-3.13.1-251.fc26.noarch It is not a bug in sssd.
Well, either realmd needs to properly write the services= line or else realmd and ipa-client-install should *never* create this line and we should switch Fedora to enable the socket-activated responders by default. But right now we have neither in play. From an earlier discussion in #freeipa, we determined that the problem was introduced in https://bugs.freedesktop.org/show_bug.cgi?id=98479 to fix issues on Debian which had an incomplete services= line in its default configuration. However, the result was that on the AD path, if the services= line did not exist at all, it was never created because the function that was updating it would skip over it.
If realmd does not add required responders to service option on "sssd" section. Then it should enable+start the related sssd responders sockets e.g. sssd-{nss,pam}.socket
(In reply to Stephen Gallagher from comment #4) > Well, either realmd needs to properly write the services= line or else > realmd and ipa-client-install should *never* create this line and we should > switch Fedora to enable the socket-activated responders by default. But > right now we have neither in play. > sssd works well with some services started by sssd (based on the "service" option) and others started as systemd activated services. People can have their own sssd.conf. Therefore realmd should count with existing or missing option "services" in sssd.conf. And from realmd upstream POV, it should firstly check whether related socket+service files are available on system e.g. /usr/lib/systemd/system/sssd-nss.socket /etc/systemd/system/sssd-nss.socket ... Then it can rely on socket activated responders otherwise it should fall back to services in sssd.conf
I've submitted a patch for realmd already as the regression happened on their side and hopefully it'll be merged soon (and I'll update this bug once it happens).
(In reply to Fabiano Fidêncio from comment #7) > I've submitted a patch for realmd already as the regression happened on > their side and hopefully it'll be merged soon (and I'll update this bug once > it happens). Please include a link to the patch in this ticket so we can follow the progress.
(In reply to Stephen Gallagher from comment #8) > (In reply to Fabiano Fidêncio from comment #7) > > I've submitted a patch for realmd already as the regression happened on > > their side and hopefully it'll be merged soon (and I'll update this bug once > > it happens). > > Please include a link to the patch in this ticket so we can follow the > progress. I just re-opened https://bugs.freedesktop.org/show_bug.cgi?id=98479 and patch is already merged. Sumit will do a fedora build including the fix.
realmd-0.16.3-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-fa8671e454
realmd-0.16.3-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-fa8671e454
realmd-0.16.3-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.