On Wed, Mar 15, 2017 at 04:27:26PM +0100, Fabiano FidĂȘncio wrote:
- Several issues related to socket-activating the NSS service, especially if SSSD was configured to use a non-privileged user were fixed. The NSS service now starts as root to avoid triggering a name-service lookup while the NSS service is not running yet. Additionally, the NSS service is started before any other service to make sure username resolution works and the other service can resolve the SSSD user correctly.
So, this part is not exactly accurate. NSS responder always been only used as root. What we did is not changing the owner of the nss log file for the socket-activated NSS responder.
My suggestion is: "(...). The NSS service now doesn't change the ownership of its log files to avoid triggering (...)"
Suggestion taken, the new relnotes can be viewed at: https://pagure.io/SSSD/docs/blob/master/f/users/relnotes/notes_1_15_2.rst