On 09/10/2014 07:11 PM, Nordgren, Bryce L -FS wrote:
I’m trying to determine whether this is a known feature, a dumb user
problem with a known workaround, or a problem.
I don’t seem to be able to run a systemd service as a user provided by
sssd? I joined my Fedora 19 analysis machine to my freeipa domain and
configured sssd to allow logins from my AD. The simple access provider
lets me in and disallows everyone else. Prior to this conversion, I
had been running “ipython notebook” as me-the-local-user, as a systemd
unit. All my files have been chowned so that my new domain login plays
nice with them.
I can run “ipython notebook” (which is how the service is started)
from the command line and it works.
The problem is, systemd is consistently failing with an exit code of
217/USER. I made a local user (‘ipython’), and systemd runs perfectly
fine. Systemd seems to want its users to exist in /etc/passwd. (getent
passwd <me>) succeeds).
Ordinarily, this is where I’d say “fine, ship it”. But my multi TB
data files are on an NFS mount, and they’re owned by
me-the-domain-user. The local ‘ipython’ account can’t manipulate them,
and any new files it makes on the NFS mount will be owned by uidNumber
1000, which doesn’t belong to any domain user. Note that prior to
this, I was manually coordinating UIDs in password files, which is why
this worked: same UID as other systems, user in the password file,
everything works out.
Is there any way to run a system service as an sssd-provided domain
user? For the moment, I guess I’m disabling this systemd service and
running the server by hand inside a screen session.
Do I get it right that you are not actually trying to run systemd itself
as a user but to start a service by systemd that will run as an SSSD user.
You might have chicken and egg problem because the user might not be
available until SSSD is started and running. So I think the service you
are trying to start should be dependent on SSSD and make sure that SSSD
Sorry if I misunderstood what you are trying to do.
This electronic message contains information generated by the USDA
solely for the intended recipients. Any unauthorized interception of
this message or the use or disclosure of the information it contains
may violate the law and subject the violator to civil or criminal
penalties. If you believe you have received this message in error,
please notify the sender and delete the email immediately.
sssd-users mailing list
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.