On 01/09/2017 01:38 PM, Fabiano Fidêncio wrote:
On Mon, Jan 9, 2017 at 1:35 PM, Jakub Hrozek
<jhrozek(a)redhat.com> wrote:
> On Mon, Jan 09, 2017 at 01:25:48PM +0100, Pavel Březina wrote:
>> On 01/08/2017 09:44 PM, Fabiano Fidêncio wrote:
>>> People,
>>>
>>> Recently I've faced some issues when testing the socket-activation
>>> working running as sssd-user, which will force me to take a different
>>> path for a few things and I really would like to know your opinion on
>>> those things.
>>>
>>> So, currently, this is what the nss.service looks like:
>>>
>>> [Unit]
>>> Description=SSSD NSS Service responder
>>> Documentation=man:sssd.conf(5)
>>> After=sssd.service
>>> BindsTo=sssd.service
>>>
>>> [Install]
>>> Also=sssd-nss.socket
>>>
>>> [Service]
>>> ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath(a)/sssd_nss.log
>>> ExecStart=@libexecdir@/sssd/sssd_nss --debug-to-files --unprivileged-start
>>> Restart=on-failure
>>> User=@SSSD_USER@
>>> Group=@SSSD_USER@
>>> PermissionsStartOnly=true
>>>
>>> As you probably noticed, I've been using systemd's machinery to
change
>>> the debug files' owner and to start the responder by the proper user
>>> (sssd or root). Well, it doesn't work that well as expected as systemd
>>> ends up calling initgroups(sssd, ...) in order to start any service
>>> using "sssd" user and this call is done _before_ starting the NSS
>>> responder, which will hang for the "default client timeout"
(300s).
>>>
>>> Okay, we have to change it and here is where I need your help!
>>
>> The simplest solution would be to disable socket activation for NSS
>> responder. Socket activation is supposed to be used for responders that are
>> seldom used.
>
> I also wonder if this was the easiest. Just enable the service as well
> in the RPM..
And it still would have to be running as root.
Latest suggestion from Lukáš makes my life way easier (just leave this
reponder to be ran as root and that's it).
Although, I really think we could do it in a better and more generic way
Or we can somehow indicate to sssd client that the nss responder is not
started yet and return that sssd does not known this user in this case.
Best Regards,