[Freeipa-users] Re: Ensure that IPA user can be resolved upon SystemD-Unit start
On 12.01.23 17:19, Ronald Wimmer via FreeIPA-users wrote: On 12.01.23 16:28, Rob Crittenden wrote: Ronald Wimmer via FreeIPA-users wrote: I do have a sytemd service unit that uses an IPA used. However, upon reboot it seems that that particular IPA user is not available upon start of that particular systemd service. Using "After=sssd.service" is not sufficient. What would you recommend in this case? (I am looking for a reliable systemd solution and do not want to rely on a script checking for a particular user with getent for example) You may want to cross-post to the sssd-users list. I'd try nss-user-lookup.target instead. According to systemd.special(7): nss-user-lookup.target A target that should be used as synchronization point for all regular UNIX user/group name service lookups. Note that this is independent of host/network name lookups for which nss-lookup.target should be used. All services for which the availability of the full user/group database is essential should be ordered after this target, but not pull it in. All services which provide parts of the user/group database should be ordered before this target, and pull it in. Note that this unit is only relevant for regular users and groups — system users and groups are required to be resolvable during earliest boot already, and hence do not need any special ordering against this target. Thanks for your input Rob! Unfortunately, nss-lookup.target also seems not to be sufficient. I've asked in the SSSD mailing list: https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/thread/5E2RCVT36NBIRFUKW4ZKMMIDM6UJOR52/ This is another topic I need to bump as there was no response in the SSSD users mailing list. Maybe Pavel can give some input here? Cheers, Ron ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Ensure that IPA user can be resolved upon SystemD-Unit start
On 12.01.23 16:28, Rob Crittenden wrote: Ronald Wimmer via FreeIPA-users wrote: I do have a sytemd service unit that uses an IPA used. However, upon reboot it seems that that particular IPA user is not available upon start of that particular systemd service. Using "After=sssd.service" is not sufficient. What would you recommend in this case? (I am looking for a reliable systemd solution and do not want to rely on a script checking for a particular user with getent for example) You may want to cross-post to the sssd-users list. I'd try nss-user-lookup.target instead. According to systemd.special(7): nss-user-lookup.target A target that should be used as synchronization point for all regular UNIX user/group name service lookups. Note that this is independent of host/network name lookups for which nss-lookup.target should be used. All services for which the availability of the full user/group database is essential should be ordered after this target, but not pull it in. All services which provide parts of the user/group database should be ordered before this target, and pull it in. Note that this unit is only relevant for regular users and groups — system users and groups are required to be resolvable during earliest boot already, and hence do not need any special ordering against this target. Thanks for your input Rob! Unfortunately, nss-lookup.target also seems not to be sufficient. I've asked in the SSSD mailing list: https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/thread/5E2RCVT36NBIRFUKW4ZKMMIDM6UJOR52/ Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Ensure that IPA user can be resolved upon SystemD-Unit start
Ronald Wimmer via FreeIPA-users wrote: > I do have a sytemd service unit that uses an IPA used. However, upon > reboot it seems that that particular IPA user is not available upon > start of that particular systemd service. > > Using "After=sssd.service" is not sufficient. > > What would you recommend in this case? > (I am looking for a reliable systemd solution and do not want to rely on > a script checking for a particular user with getent for example) You may want to cross-post to the sssd-users list. I'd try nss-user-lookup.target instead. According to systemd.special(7): nss-user-lookup.target A target that should be used as synchronization point for all regular UNIX user/group name service lookups. Note that this is independent of host/network name lookups for which nss-lookup.target should be used. All services for which the availability of the full user/group database is essential should be ordered after this target, but not pull it in. All services which provide parts of the user/group database should be ordered before this target, and pull it in. Note that this unit is only relevant for regular users and groups — system users and groups are required to be resolvable during earliest boot already, and hence do not need any special ordering against this target. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue