Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets

To: submit@bugs.debian.org
Subject: Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Tue, 15 Dec 2020 11:33:44 +0000
Message-id: <[🔎] 20201215113344.Horde.uFppYvgY5O5kxH7h8yBRe9-@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 977462@bugs.debian.org

Package: debian-edu-config
Severity: important
Version: 2.11.39

On Roaming Workstation, the /etc/sssd/sssd-debian-edu.conf causeserror messages during boot:


```
root@notebook-35:~# journalctl -b 0  | grep socket | grep -i sssd

Dez 15 11:51:41 notebook-35.intern systemd[1]: Starting SSSD NSSService responder socket.Dez 15 11:51:41 notebook-35.intern systemd[1]: Starting SSSD PAMService responder private socket.Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[824]: (2020-12-1511:51:41:970085): [sssd] [main] (0x0010): Misconfiguration found forthe nss responder.Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[824]: The nss responder hasbeen configured to be socket-activated but it's still mentioned in theservices' line in /etc/sssd/sssd.conf.Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[824]: Please, consider eitheradjusting your services' line in /etc/sssd/sssd.conf or disabling thenss's socket by calling:Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[826]: (2020-12-1511:51:41:970085): [sssd] [main] (0x0010): Misconfiguration found forthe pam responder.Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[826]: The pam responder hasbeen configured to be socket-activated but it's still mentioned in theservices' line in /etc/sssd/sssd.conf.Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[826]: Please, consider eitheradjusting your services' line in /etc/sssd/sssd.conf or disabling thepam's socket by calling:Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[824]: "systemctl disablesssd-nss.socket"Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[826]: "systemctl disablesssd-pam.socket"Dez 15 11:51:41 notebook-35.intern systemd[1]: sssd-nss.socket:Control process exited, code=exited, status=17/n/aDez 15 11:51:41 notebook-35.intern systemd[1]: sssd-nss.socket: Failedwith result 'exit-code'.Dez 15 11:51:41 notebook-35.intern systemd[1]: Failed to listen onSSSD NSS Service responder socket.Dez 15 11:51:41 notebook-35.intern systemd[1]: sssd-pam-priv.socket:Control process exited, code=exited, status=17/n/aDez 15 11:51:41 notebook-35.intern systemd[1]: sssd-pam-priv.socket:Failed with result 'exit-code'.Dez 15 11:51:41 notebook-35.intern systemd[1]: Failed to listen onSSSD PAM Service responder private socket.Dez 15 11:51:41 notebook-35.intern systemd[1]: Dependency failed forSSSD PAM Service responder socket.Dez 15 11:51:41 notebook-35.intern systemd[1]: sssd-pam.socket: Jobsssd-pam.socket/start failed with result 'dependency'.Dez 15 11:51:41 notebook-35.intern systemd[1]: Starting SSSD AutoFSService responder socket.Dez 15 11:51:41 notebook-35.intern systemd[1]: Starting SSSD PACService responder socket.Dez 15 11:51:41 notebook-35.intern systemd[1]: Starting SSSD SSHService responder socket.Dez 15 11:51:41 notebook-35.intern systemd[1]: Starting SSSD SudoService responder socket.Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[835]: (2020-12-1511:51:41:978982): [sssd] [main] (0x0010): Misconfiguration found forthe autofs responder.Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[835]: The autofs responder hasbeen configured to be socket-activated but it's still mentioned in theservices' line in /etc/sssd/sssd.conf.Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[835]: Please, consider eitheradjusting your services' line in /etc/sssd/sssd.conf or disabling theautofs's socket by calling:Dez 15 11:51:41 notebook-35.internsssd_check_socket_activated_responders[835]: "systemctl disablesssd-autofs.socket"Dez 15 11:51:41 notebook-35.intern systemd[1]: sssd-autofs.socket:Control process exited, code=exited, status=17/n/aDez 15 11:51:41 notebook-35.intern systemd[1]: sssd-autofs.socket:Failed with result 'exit-code'.Dez 15 11:51:41 notebook-35.intern systemd[1]: Failed to listen onSSSD AutoFS Service responder socket.Dez 15 11:51:41 notebook-35.intern systemd[1]: Listening on SSSD SSHService responder socket.Dez 15 11:51:41 notebook-35.intern systemd[1]: Listening on SSSD PACService responder socket.Dez 15 11:51:41 notebook-35.intern systemd[1]: Listening on SSSD SudoService responder socket.Dez 15 11:51:56 notebook-35.intern systemd[1]: Starting SSSD PAMService responder private socket.Dez 15 11:51:56 notebook-35.intern systemd[1]: Starting SSSD PAMService responder socket.Dez 15 11:51:56 notebook-35.internsssd_check_socket_activated_responders[1607]: (2020-12-1511:51:56:347851): [sssd] [main] (0x0010): Misconfiguration found forthe pam responder.Dez 15 11:51:56 notebook-35.internsssd_check_socket_activated_responders[1607]: The pam responder hasbeen configured to be socket-activated but it's still mentioned in theservices' line in /etc/sssd/sssd.conf.Dez 15 11:51:56 notebook-35.internsssd_check_socket_activated_responders[1607]: Please, consider eitheradjusting your services' line in /etc/sssd/sssd.conf or disabling thepam's socket by calling:Dez 15 11:51:56 notebook-35.internsssd_check_socket_activated_responders[1607]: "systemctl disablesssd-pam.socket"Dez 15 11:51:56 notebook-35.intern systemd[1]: sssd-pam-priv.socket:Control process exited, code=exited, status=17/n/aDez 15 11:51:56 notebook-35.internsssd_check_socket_activated_responders[1608]: (2020-12-1511:51:56:348023): [sssd] [main] (0x0010): Misconfiguration found forthe pam responder.Dez 15 11:51:56 notebook-35.internsssd_check_socket_activated_responders[1608]: The pam responder hasbeen configured to be socket-activated but it's still mentioned in theservices' line in /etc/sssd/sssd.conf.Dez 15 11:51:56 notebook-35.internsssd_check_socket_activated_responders[1608]: Please, consider eitheradjusting your services' line in /etc/sssd/sssd.conf or disabling thepam's socket by calling:Dez 15 11:51:56 notebook-35.intern systemd[1]: sssd-pam-priv.socket:Failed with result 'exit-code'.Dez 15 11:51:56 notebook-35.internsssd_check_socket_activated_responders[1608]: "systemctl disablesssd-pam.socket"Dez 15 11:51:56 notebook-35.intern systemd[1]: Failed to listen onSSSD PAM Service responder private socket.Dez 15 11:51:56 notebook-35.intern systemd[1]: Dependency failed forSSSD PAM Service responder socket.Dez 15 11:51:56 notebook-35.intern systemd[1]: sssd-pam.socket: Jobsssd-pam.socket/start failed with result 'dependency'.Dez 15 11:51:56 notebook-35.intern systemd[1]: sssd-pam.socket:Control process exited, code=exited, status=17/n/aDez 15 11:51:56 notebook-35.intern systemd[1]: sssd-pam.socket: Failedwith result 'exit-code'.Dez 15 11:51:56 notebook-35.intern systemd[1]: Closed SSSD PAM Serviceresponder socket.Dez 15 12:00:45 notebook-35.intern systemd[1]: Starting SSSD PAMService responder private socket.Dez 15 12:00:45 notebook-35.intern systemd[1]: Starting SSSD PAMService responder socket.Dez 15 12:00:45 notebook-35.internsssd_check_socket_activated_responders[4875]: (2020-12-1512:00:45:730707): [sssd] [main] (0x0010): Misconfiguration found forthe pam responder.Dez 15 12:00:45 notebook-35.internsssd_check_socket_activated_responders[4875]: The pam responder hasbeen configured to be socket-activated but it's still mentioned in theservices' line in /etc/sssd/sssd.conf.Dez 15 12:00:45 notebook-35.internsssd_check_socket_activated_responders[4875]: Please, consider eitheradjusting your services' line in /etc/sssd/sssd.conf or disabling thepam's socket by calling:Dez 15 12:00:45 notebook-35.internsssd_check_socket_activated_responders[4875]: "systemctl disablesssd-pam.socket"Dez 15 12:00:45 notebook-35.internsssd_check_socket_activated_responders[4876]: (2020-12-1512:00:45:730867): [sssd] [main] (0x0010): Misconfiguration found forthe pam responder.Dez 15 12:00:45 notebook-35.internsssd_check_socket_activated_responders[4876]: The pam responder hasbeen configured to be socket-activated but it's still mentioned in theservices' line in /etc/sssd/sssd.conf.Dez 15 12:00:45 notebook-35.internsssd_check_socket_activated_responders[4876]: Please, consider eitheradjusting your services' line in /etc/sssd/sssd.conf or disabling thepam's socket by calling:Dez 15 12:00:45 notebook-35.internsssd_check_socket_activated_responders[4876]: "systemctl disablesssd-pam.socket"Dez 15 12:00:45 notebook-35.intern systemd[1]: sssd-pam-priv.socket:Control process exited, code=exited, status=17/n/aDez 15 12:00:45 notebook-35.intern systemd[1]: sssd-pam-priv.socket:Failed with result 'exit-code'.Dez 15 12:00:45 notebook-35.intern systemd[1]: Failed to listen onSSSD PAM Service responder private socket.Dez 15 12:00:45 notebook-35.intern systemd[1]: Dependency failed forSSSD PAM Service responder socket.Dez 15 12:00:45 notebook-35.intern systemd[1]: sssd-pam.socket: Jobsssd-pam.socket/start failed with result 'dependency'.Dez 15 12:00:45 notebook-35.intern systemd[1]: sssd-pam.socket:Control process exited, code=exited, status=17/n/aDez 15 12:00:45 notebook-35.intern systemd[1]: sssd-pam.socket: Failedwith result 'exit-code'.Dez 15 12:00:45 notebook-35.intern systemd[1]: Closed SSSD PAM Serviceresponder socket.

```

To possible ways to fix this:

Solution 1 (I guess the preferred, but maybe we loose thefilter_groups and filter_users options)


```
root@notebook-35:~# etckeeper vcs diff
diff --git a/sssd/sssd.conf b/sssd/sssd.conf
index 9451b33..1eb8078 100644
--- a/sssd/sssd.conf
+++ b/sssd/sssd.conf
@@ -3,19 +3,8 @@
 config_file_version = 2
 reconnection_retries = 3
 sbus_timeout = 30
-services = nss, pam, autofs
 domains = intern

-[nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-[pam]
-reconnection_retries = 3
-
-[autofs]
-
 [domain/intern]
 ; Using enumerate = true leads to high load and slow response
 enumerate = false
```

Solution 2 (possibly old-stylish):

Disable these systemd socket listeners:

/lib/systemd/system/sssd-autofs.socket
/lib/systemd/system/sssd-nss.socket
/lib/systemd/system/sssd-pam.socket

(Maybe also these???)
/lib/systemd/system/sssd-ssh.socket
/lib/systemd/system/sssd-pam-priv.socket

I am not an expert on sssd, but I think we should make sure to avoiderror messages / service startup failures during system boot on DebianEdu Roaming Workstations.


Any other ideas?

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgppcKbd9_vCT.pgp
Description: Digitale PGP-Signatur

Reply to:

Follow-Ups:
- Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets
  - From: Wolfgang Schweer <w.schweer@gmx.de>
- Processed: Bug#977462 marked as pending in debian-edu-config
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#977462: marked as done (Debian Edu sssd.conf conflicts with sssd service sockets)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: debian-edu-artwork_2.11.2-1_source.changes ACCEPTED into unstable
Next by Date: Processing of debian-edu-install_2.11.11_source.changes
Previous by thread: debian-edu-artwork_2.11.2-1_source.changes ACCEPTED into unstable
Next by thread: Bug#977462: Debian Edu sssd.conf conflicts with sssd service sockets
Index(es):
- Date
- Thread