[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
This bug was fixed in the package freeipa - 4.11.1-2 --- freeipa (4.11.1-2) unstable; urgency=medium * use-raw-strings.diff: Import patch from upstream to fix noise when installing. (LP: #2060298) * map-ssh-service.diff: Map sshd service to use ssh.service. (LP: #2061055) -- Timo Aaltonen Fri, 12 Apr 2024 14:31:35 +0300 ** Changed in: freeipa (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: Fix Released Status in openssh package in Ubuntu: Triaged Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
** Changed in: openssh (Ubuntu) Status: New => Confirmed ** Changed in: openssh (Ubuntu) Status: Confirmed => Triaged ** Changed in: freeipa (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: In Progress Status in openssh package in Ubuntu: Triaged Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
Yeah, I could live with that -- but TBH I still consider this mostly a bug in openssh. querying the status of sshd.service really should work. Arch, RHEL, Fedora, OpenSUSE etc. all call this sshd.service. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: New Status in openssh package in Ubuntu: New Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
oh, I'm blind... so adding the mapping for both should be alright then -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: New Status in openssh package in Ubuntu: New Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
Timo: It doesn't fail on Debian. See the "That works in Debian because.." in the description (TL/DR: Debian doesn't enable ssh.socket, but ssh.service, which sets up the symlink) ** Description changed: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing - else, just create the symlink manually in the postinst? + else, just ship the symlink in the .deb, or create the symlink manually + in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 - Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: New Status in openssh package in Ubuntu: New Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
this should fail also on Debian, right? -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: New Status in openssh package in Ubuntu: New Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
well, there is a way to map service names from the default ones to what the platform has, so I'll add a mapping sshd->ssh. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: New Status in openssh package in Ubuntu: New Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp