On Wed, Mar 16, 2022 at 11:39 AM Brian J. Murrell <brian(a)interlinx.bc.ca>
wrote:
> Hi,
Hi.
> What OS are running on your system?
EL8.5
Did you tune any default selinux policies?
> What is the output of `cat /etc/nsswitch.conf | grep passwd` on your
> system?
passwd: sss files systemd
You might want to consider:
- changing the order to: 'files sss ...'
and
- setting `enable_files_domain = false` (see `man sssd.conf` for details)
> Do you use SSSD on purpose?
Yes. I use FreeIPA here.
Does `getent passwd $your_ipa_use` work for you?
So it's not at all surprising to see these /var/lib/sss accesses. I
just want to understand what they might be for and why nothing is
(apparently) breaking due to the accesses being denied,
Most probably those are lookups (`getpwnam()`, etc) of local users.
When SSSD fails to serve this lookup, it's being served by next source in
your nsswitch.conf (i.e. 'files')
and if that's a
condition that can continue to happen without there being some future
fall-out. I.e. what is the result of those accesses being denied
instead of being allowed?
If client app can't connect to the sssd_nss responder socket, then any SSSD
lookup should fail...