On Mon, Jan 09, 2017 at 01:25:48PM +0100, Pavel Březina wrote: > On 01/08/2017 09:44 PM, Fabiano Fidêncio wrote: > > People, > > > > Recently I've faced some issues when testing the socket-activation > > working running as sssd-user, which will force me to take a different > > path for a few things and I really would like to know your opinion on > > those things. > > > > So, currently, this is what the nss.service looks like: > > > > [Unit] > > Description=SSSD NSS Service responder > > Documentation=man:sssd.conf(5) > > After=sssd.service > > BindsTo=sssd.service > > > > [Install] > > Also=sssd-nss.socket > > > > [Service] > > ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_nss.log > > ExecStart=@libexecdir@/sssd/sssd_nss --debug-to-files --unprivileged-start > > Restart=on-failure > > User=@SSSD_USER@ > > Group=@SSSD_USER@ > > PermissionsStartOnly=true > > > > As you probably noticed, I've been using systemd's machinery to change > > the debug files' owner and to start the responder by the proper user > > (sssd or root). Well, it doesn't work that well as expected as systemd > > ends up calling initgroups(sssd, ...) in order to start any service > > using "sssd" user and this call is done _before_ starting the NSS > > responder, which will hang for the "default client timeout" (300s). > > > > Okay, we have to change it and here is where I need your help! > > The simplest solution would be to disable socket activation for NSS > responder. Socket activation is supposed to be used for responders that are > seldom used.
I also wonder if this was the easiest. Just enable the service as well in the RPM.. _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
