On Mon, Jan 09, 2017 at 01:25:48PM +0100, Pavel Březina wrote:
On 01/08/2017 09:44 PM, Fabiano Fidêncio wrote:
> People,
>
> Recently I've faced some issues when testing the socket-activation
> working running as sssd-user, which will force me to take a different
> path for a few things and I really would like to know your opinion on
> those things.
>
> So, currently, this is what the nss.service looks like:
>
> [Unit]
> Description=SSSD NSS Service responder
> Documentation=man:sssd.conf(5)
> After=sssd.service
> BindsTo=sssd.service
>
> [Install]
> Also=sssd-nss.socket
>
> [Service]
> ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath(a)/sssd_nss.log
> ExecStart=@libexecdir@/sssd/sssd_nss --debug-to-files --unprivileged-start
> Restart=on-failure
> User=@SSSD_USER@
> Group=@SSSD_USER@
> PermissionsStartOnly=true
>
> As you probably noticed, I've been using systemd's machinery to change
> the debug files' owner and to start the responder by the proper user
> (sssd or root). Well, it doesn't work that well as expected as systemd
> ends up calling initgroups(sssd, ...) in order to start any service
> using "sssd" user and this call is done _before_ starting the NSS
> responder, which will hang for the "default client timeout" (300s).
>
> Okay, we have to change it and here is where I need your help!
The simplest solution would be to disable socket activation for NSS
responder. Socket activation is supposed to be used for responders that are
seldom used.
I also wonder if this was the easiest. Just enable the service as well
in the RPM..