Bug 988207 - sssd does not detail which line in configuration is invalid
Summary: sssd does not detail which line in configuration is invalid
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd   
(Show other bugs)
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Namita Soman
Marc Muehlfeld
URL:
Whiteboard:
Keywords:
Depends On: 1290382
Blocks: 1292074 1296125 1313485 987491 1351252
TreeView+ depends on / blocked
 
Reported: 2013-07-25 06:07 UTC by Stef Walter
Modified: 2016-11-04 07:09 UTC (History)
10 users (show)

Fixed In Version: sssd-1.14.0-0.2.beta1.el7
Doc Type: Enhancement
Doc Text:
SSSD configuration file validation Previously, the System Security Services Daemon (SSSD) did not provide a tool to manually check the `/etc/sssd/sssd.conf` file. As a consequence, the administrator had to find the problem in the configuration file if the service failed to start. This update provides the "config-check" option of the "sssctl" command to locate problems in the configuration file. Additionally, SSSD automatically checks the validity of the configuration file after the service starts, and shows level 0 debug messages for incorrect settings.
Story Points: ---
Clone Of:
: 1351252 (view as bug list)
Environment:
Last Closed: 2016-11-04 07:09:27 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2476 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-11-03 14:08:11 UTC

Description Stef Walter 2013-07-25 06:07:50 UTC
If I create an sssd.conf with the following contents, then on startup sssd just complains about "Invalid Argument" rather than saying what config line is wrong in the logs (such as systemctl status output).

Comment 1 Stef Walter 2013-07-25 06:08:20 UTC
Yes, there's a missing 'services' line. But the log output should say that:

sssd.conf -------------------------------------------

[sssd]
domains = security.baseos.qe
config_file_version = 2

[nss]
default_shell = /bin/bash

[domain/security.baseos.qe]
ad_domain = security.baseos.qe
krb5_realm = SECURITY.BASEOS.QE
realmd_tags = 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
simple_allow_users = $
access_provider = simple

Comment 2 Stef Walter 2013-07-25 06:09:11 UTC
With the default log level, sssd simply says "SSSD couldn't load the configuration database [22]: Invalid argument." which isn't very helpful.

# systemctl status sssd.service
sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
   Active: failed (Result: exit-code) since Thu 2013-07-25 01:37:49 EDT; 12s ago
  Process: 20769 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4)

Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe sssd[20769]: SSSD couldn't load the configuration database [22]: Invalid argument.
Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: sssd.service: control process exited, code=exited status=4
Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Failed to start System Security Services Daemon.
Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Unit sssd.service entered failed state.

Comment 4 Pavel Březina 2013-07-25 07:13:08 UTC
I agree, we should change this.

Comment 5 Pavel Březina 2013-07-25 07:54:08 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2028

Comment 6 Jakub Hrozek 2013-07-25 07:58:53 UTC
For issues like this, where we don't start at all, please add both a DEBUG statement and sss_log statement. We should let the admin know failures to start just by looking at syslog.

Comment 8 Jakub Hrozek 2016-06-27 20:32:16 UTC
master:
    8b2a31634764168183506925a4b9f461afdba6f3
    c42ca36247022490ad65a33c453cb5e43900dbe9

Comment 13 Michal Zidek 2016-07-19 09:37:14 UTC
Doc text looks good to me.

Michal

Comment 14 Madhuri 2016-09-06 09:48:32 UTC
Tested with sssd-1.14.0-27.el7.x86_64

Steps followed during verification:
1) Install the sssd-tools package.
2) Create the sssd.conf.
3) Run sssctl config-check.

config-check detects typos in option name (not value), typos in section name and misplaced options.
Additionally the config-check also reports when something unexpected happens during configuration merging but does not check which option is missing.

-------------------------------------------------------------
sssd.conf without any typos in option name and section name
-------------------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 0

-------------------------------------------------
sssd.conf with typos in option name
-------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'search_base' is not allowed in section 'domain/LDAP'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0

------------------------------------------------
sssd.conf with typos in section name
------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LAP]
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server ~]# sssctl config-check
(Fri Sep  2 11:40:43:603218 2016) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [LDAP]
(Fri Sep  2 11:40:43:603339 2016) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [LDAP], skipping!
(Fri Sep  2 11:40:43:603361 2016) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error!
.
------------------------------------------------
sssd.conf with misplaced option
------------------------------------------------
#cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = LDAP

[domain/LDAP]
services = nss, pam
search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
debug_level = 10

[root@server sssd]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_domain_options]: Attribute 'services' is not allowed in section 'domain/LDAP'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0

Comment 16 errata-xmlrpc 2016-11-04 07:09:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html


Note You need to log in before you can comment on or make changes to this bug.