The recent sssd-2.9.4-3.fc40.x86_64 rawhide update [1] disabled the "files" provider [2]. The Fedora changes page [3] promised "some document on sssd.io" that explains the migration, but I didn't find anything. We are using this to test cockpit smartcard authentication [4] with certmap (we also have a full FreeIPA integration test case, but that can't run on Testing Farm for distro gating), which now stopped working: ---------------- 8< ----------------- [sssd] domains = local [domain/local] id_provider = files [certmap/local/alice] # Requires sssd >= 2.6.1 and installing sssd_auth_ca_db.pem; with earlier sssd this is completely unsafe matchrule = <SUBJECT>^DC=LAN,DC=COCKPIT,CN=alice$ ---------------- 8< ----------------- I checked various resources [5][6][7][8], but they provide either very little, or contradicting information (id_provider vs. auth_provider, etc.). I tried with [domain/local] id_provider = proxy auth_provider = proxy proxy_lib_name = files and various combinations, but in all cases sssd.service fails to start up: Jan 26 09:22:48 fedora-rawhide-127-0-0-2-2201 sssd_be[5357]: Starting up Jan 26 09:22:48 fedora-rawhide-127-0-0-2-2201 sssd[5353]: Exiting the SSSD. Could not restart critical service [local]. and /var/log/sssd/sssd_local.log essentially says Unable to load target [id] [80]: Accessing a corrupted shared library. I attach the full log for reference. [1] https://bodhi.fedoraproject.org/updates/FEDORA-2024-6d3f839766 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2253183 [3] https://fedoraproject.org/wiki/Changes/SSSDRemoveFilesProvider [4] https://github.com/cockpit-project/cockpit/blob/4021b8a60237076bdde01183a51eb18568774c7f/test/verify/check-static-login#L776 [5] https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_domains#configuring-the-files-provider-for-sssd [6] https://github.com/SSSD/sssd/releases/tag/2.9.0 [7] https://sssd.io/release-notes/sssd-2.9.3.html [8] https://manpages.ubuntu.com/manpages/jammy/en/man5/sssd.conf.5.html Reproducible: Always Steps to Reproduce: see above
Created attachment 2010692 [details] sssd_local.log
Hi, (In reply to Martin Pitt from comment #0) > The recent sssd-2.9.4-3.fc40.x86_64 rawhide update [1] disabled the "files" > provider [2]. The Fedora changes page [3] promised "some document on > sssd.io" that explains the migration, but I didn't find anything. Sorry for the delay, it is being worked on in https://github.com/SSSD/sssd.io/pull/78 > I tried with > > [domain/local] > id_provider = proxy > auth_provider = proxy > proxy_lib_name = files I think this should work ``` [domain/local] id_provider = proxy local_auth_policy = enable:smartcard proxy_lib_name = files proxy_pam_target = sssd-shadowutils (<-- this probably can be skipped if local_auth_policy set explicitly) ``` but I'd wait @sbose reply for https://github.com/SSSD/sssd.io/pull/78#issuecomment-1908453476
Thanks! Alexey's recipe in #2 works well, but I suppose I'll stick to the "official" documentation from https://github.com/SSSD/sssd.io/pull/78 which also works -- thanks for adding that. So I suppose you can close this once the PR lands and the docs get shipped?
Document was published: https://sssd.io/docs/files-provider-deprecation.html