Red Hat Bugzilla – Bug 988207
sssd does not detail which line in configuration is invalid
Last modified: 2016-11-04 03:09:27 EDT
If I create an sssd.conf with the following contents, then on startup sssd just complains about "Invalid Argument" rather than saying what config line is wrong in the logs (such as systemctl status output).
Yes, there's a missing 'services' line. But the log output should say that: sssd.conf ------------------------------------------- [sssd] domains = security.baseos.qe config_file_version = 2 [nss] default_shell = /bin/bash [domain/security.baseos.qe] ad_domain = security.baseos.qe krb5_realm = SECURITY.BASEOS.QE realmd_tags = cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u simple_allow_users = $ access_provider = simple
With the default log level, sssd simply says "SSSD couldn't load the configuration database [22]: Invalid argument." which isn't very helpful. # systemctl status sssd.service sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) Active: failed (Result: exit-code) since Thu 2013-07-25 01:37:49 EDT; 12s ago Process: 20769 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4) Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe sssd[20769]: SSSD couldn't load the configuration database [22]: Invalid argument. Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: sssd.service: control process exited, code=exited status=4 Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Failed to start System Security Services Daemon. Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Unit sssd.service entered failed state.
I agree, we should change this.
Upstream ticket: https://fedorahosted.org/sssd/ticket/2028
For issues like this, where we don't start at all, please add both a DEBUG statement and sss_log statement. We should let the admin know failures to start just by looking at syslog.
master: 8b2a31634764168183506925a4b9f461afdba6f3 c42ca36247022490ad65a33c453cb5e43900dbe9
Doc text looks good to me. Michal
Tested with sssd-1.14.0-27.el7.x86_64 Steps followed during verification: 1) Install the sssd-tools package. 2) Create the sssd.conf. 3) Run sssctl config-check. config-check detects typos in option name (not value), typos in section name and misplaced options. Additionally the config-check also reports when something unexpected happens during configuration merging but does not check which option is missing. ------------------------------------------------------------- sssd.conf without any typos in option name and section name ------------------------------------------------------------- #cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LDAP [domain/LDAP] ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server ~]# sssctl config-check Issues identified by validators: 0 Messages generated during configuration merging: 0 Used configuration snippet files: 0 ------------------------------------------------- sssd.conf with typos in option name ------------------------------------------------- #cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LDAP [domain/LDAP] search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server ~]# sssctl config-check Issues identified by validators: 1 [rule/allowed_domain_options]: Attribute 'search_base' is not allowed in section 'domain/LDAP'. Check for typos. Messages generated during configuration merging: 0 Used configuration snippet files: 0 ------------------------------------------------ sssd.conf with typos in section name ------------------------------------------------ #cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LDAP [domain/LAP] search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server ~]# sssctl config-check (Fri Sep 2 11:40:43:603218 2016) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [LDAP] (Fri Sep 2 11:40:43:603339 2016) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [LDAP], skipping! (Fri Sep 2 11:40:43:603361 2016) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error! . ------------------------------------------------ sssd.conf with misplaced option ------------------------------------------------ #cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = LDAP [domain/LDAP] services = nss, pam search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server sssd]# sssctl config-check Issues identified by validators: 1 [rule/allowed_domain_options]: Attribute 'services' is not allowed in section 'domain/LDAP'. Check for typos. Messages generated during configuration merging: 0 Used configuration snippet files: 0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html