Severity: grave thanks On 06.01.2018 17:07, Juha Jäykkä wrote: > Package: sssd > Version: 1.16.0-3 > Severity: minor > > Dear Maintainer, > > There is a regression in 1.16.0-2 and -3, rendering existing sssd > configurations > unable to authenticate users. This happens if the old config file has > > services = nss, pam > > in it. This used to be "the right way" of doing things but now with socket > activated > nss and pam services sssd gets confused and its pam service no longer works. > Removing > said line fixes it (hence "Severity: minor") but this is highly confusign to > the admin > as the service seems to be up and running. > > The clue is in the log: > > Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: (Sat Jan > 6 14:50:47:876645 2018) [sssd] [main] (0x0010): Misconfiguration found for > the pam responder. > Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: The pam > responder has been configured to be socket-activated but it's still mentioned > in the services' line in /etc/sssd/sssd.conf. > Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: Please, > consider either adjusting your services' line in /etc/sssd/sssd.conf or > disabling the pam's socket by calling: > Jan 06 14:50:47 rigel sssd_check_socket_activated_responders[8175]: > "systemctl disable sssd-pam.socket" > Jan 06 14:50:47 rigel systemd[1]: sssd-pam-priv.socket: Control process > exited, code=exited status=17 > Jan 06 14:50:47 rigel systemd[1]: sssd-pam-priv.socket: Failed with result > 'exit-code'. > Jan 06 14:50:47 rigel systemd[1]: Failed to listen on SSSD PAM Service > responder private socket. > Jan 06 14:50:47 rigel systemd[1]: Dependency failed for SSSD PAM Service > responder socket. > Jan 06 14:50:47 rigel systemd[1]: sssd-pam.socket: Job sssd-pam.socket/start > failed with result 'dependency'. > Jan 06 14:50:47 rigel systemd[1]: Listening on SSSD NSS Service responder > socket. > > Note how the log says "please consider" instead of "this is an error, this > will not work" and > later shows a failure. > > From the first "please consider" message I would presume sssd is supposed to > gracefully > recover. The service seems to start when needed and responds to some queries > but always ends > auth process with > > [sssd[pam]] [pam_dp_process_reply] (0x0010): Reply error. > > And this means auth failure for pam of course. > > Cheers, > Juha > > P.S. This may be "works as intended" but considering it took me quite a while > to figure > out why my existing, working configuration got broken and google came up with > no help at all, > I would think at least getting this report onto google results would be > helpful to some people.
Bumping severity, this can't migrate to testing.. -- t
