https://bugzilla.redhat.com/show_bug.cgi?id=1897205
Bug ID: 1897205 Summary: SSSD fails to start when run as non-root user Product: Fedora Version: 33 OS: Linux Status: NEW Component: sssd Severity: urgent Assignee: sssd-maintainers@lists.fedoraproject.org Reporter: apeetham@redhat.com QA Contact: extras-qa@fedoraproject.org CC: abokovoy@redhat.com, atikhono@redhat.com, jhrozek@redhat.com, lslebodn@redhat.com, mzidek@redhat.com, pbrezina@redhat.com, rharwood@redhat.com, sbose@redhat.com, ssorce@redhat.com, sssd-maintainers@lists.fedoraproject.org Target Milestone: --- Classification: Fedora
Description of problem: SSSD service fails to restart, when "user = sssd" is set in SSSD.CONF, we don't see this behaviour in downstream RHEL-8.3 / RHEL-8.4 systems.
Version-Release number of selected component (if applicable): sssd-2.4.0-2.fc33.x86_64 libsss_simpleifp-2.4.0-2.fc33.x86_64
How reproducible: Always
Steps to Reproduce: 1. Configure sssd.conf as follows:
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, ifp debug_level = 0xFFF0 user = sssd
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3
[ifp] allowed_uids = root user_attributes = +mail, +givenname, +sn debug_level = 0xFFF0
2. Restart SSSD service, it fails with error.
# systemctl restart sssd; systemctl status sssd Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Thu 2020-11-12 20:27:20 IST; 10ms ago Process: 6678 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4) Main PID: 6678 (code=exited, status=4) CPU: 15ms
Nov 12 20:27:20 mojito.redhat.com systemd[1]: Failed to start System Security Services Daemon.
3. Below is the sssd.log contents, logged right after service restart:
(2020-11-12 20:27:20): [sssd] [monitor_quit_signal] (0x2000): Received shutdown command (2020-11-12 20:27:20): [sssd] [monitor_quit_signal] (0x0040): Monitor received Terminated: terminating children (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0040): Returned with: 0 (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Terminating [ifp][6526] (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Child [ifp] exited gracefully (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Terminating [pam][6525] (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Child [pam] terminated with a signal (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Terminating [nss][6524] (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Terminating [implicit_files][6523] (2020-11-12 20:27:20): [sssd] [monitor_quit] (0x0020): Child [implicit_files] exited gracefully (2020-11-12 20:27:20): [sssd] [watch_ctx_destructor] (0x2000): Closing inotify fd 0 (2020-11-12 20:27:20:592247): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-12 20:27:20:592289): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-12 20:27:20:592325): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-12 20:27:20:860946): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-12 20:27:20:861023): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-12 20:27:20:861077): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-12 20:27:21:099530): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-12 20:27:21:099570): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-12 20:27:21:099609): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-12 20:27:21:354551): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-12 20:27:21:354631): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-12 20:27:21:354678): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-12 20:27:21:596433): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-12 20:27:21:596565): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-12 20:27:21:596672): [sssd] [main] (0x0020): SSSD couldn't load the configuration database.
Actual results: SSSD fails to restart.
Expected results: Like rhel-8.4, sssd service should restart without issues.
Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1897205
Alexey Tikhonov atikhono@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(apeetham@redhat.c | |om)
--- Comment #1 from Alexey Tikhonov atikhono@redhat.com --- Hi,
1) I would expect 0x0040 level message from `sss_user_by_name_or_uid()` in the log.
Does sssd.conf correspond log provided? (I don't see `debug_microseconds` enabled in sssd.conf, but microseconds are in the log.)
2) could you please provide output of `id sssd` on this system?
https://bugzilla.redhat.com/show_bug.cgi?id=1897205
Amith apeetham@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(apeetham@redhat.c | |om) |
--- Comment #2 from Amith apeetham@redhat.com --- (In reply to Alexey Tikhonov from comment #1)
Hi,
- I would expect 0x0040 level message from `sss_user_by_name_or_uid()` in
the log.
With debug_level = 0x0040 set in SSSD section, i could get only the following data from sssd.log file:
# cat sssd.log (2020-11-19 6:37:18:819963): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-19 6:37:18:820023): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-19 6:37:18:820062): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-19 6:37:18:996977): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-19 6:37:18:997013): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-19 6:37:18:997051): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-19 6:37:19:232383): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-19 6:37:19:232440): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-19 6:37:19:232487): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-19 6:37:19:491074): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-19 6:37:19:491112): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-19 6:37:19:491147): [sssd] [main] (0x0020): SSSD couldn't load the configuration database. (2020-11-19 6:37:19:743258): [sssd] [get_service_user] (0x0010): Failed to set allowed UIDs. (2020-11-19 6:37:19:743302): [sssd] [get_monitor_config] (0x0020): Failed to get the unprivileged user (2020-11-19 6:37:19:743351): [sssd] [main] (0x0020): SSSD couldn't load the configuration database.
here is the sssd.conf settings:
# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, ifp debug_level = 0x0040 user = sssd
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3
[ifp] allowed_uids = root user_attributes = +mail, +givenname, +sn debug_level = 0x0040
Does sssd.conf correspond log provided? (I don't see `debug_microseconds` enabled in sssd.conf, but microseconds are in the log.)
- could you please provide output of `id sssd` on this system?
In the case of RHEL-8.4.0, "sssd" user gets created automatically. Here is the sssd rpm version and id command output: # rpm -q sssd sssd-2.3.0-9.el8.x86_64
# id sssd uid=996(sssd) gid=993(sssd) groups=993(sssd)
In the case of Fedora-33, "sssd" user is not created at all. # rpm -q sssd sssd-2.4.0-2.fc33.x86_64
# id sssd id: ‘sssd’: no such user
https://bugzilla.redhat.com/show_bug.cgi?id=1897205
Alexey Tikhonov atikhono@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Triaged
--- Comment #3 from Alexey Tikhonov atikhono@redhat.com --- (In reply to Amith from comment #2)
- could you please provide output of `id sssd` on this system?
In the case of RHEL-8.4.0, "sssd" user gets created automatically.
On RHEL corresponding user and group are created during package installation via `%pre` section in spec-file.
In the case of Fedora-33, "sssd" user is not created at all.
Spec-file in Fedora is different and doesn't create those user/group.
So please either create user/group manually and close this BZ as "notabug" or convert this BZ to RFE (but I'm not sure if it makes much sense).
https://bugzilla.redhat.com/show_bug.cgi?id=1897205
Amith apeetham@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG Last Closed| |2021-01-20 08:20:23
--- Comment #4 from Amith apeetham@redhat.com ---
Closing this bug based on the comment #2.
sssd-maintainers@lists.fedoraproject.org