On (09/01/17 09:43), Simo Sorce wrote: >On Mon, 2017-01-09 at 13:35 +0100, Jakub Hrozek wrote: >> On Mon, Jan 09, 2017 at 01:25:48PM +0100, Pavel Březina wrote: >> > On 01/08/2017 09:44 PM, Fabiano Fidêncio wrote: >> > > People, >> > > >> > > Recently I've faced some issues when testing the socket-activation >> > > working running as sssd-user, which will force me to take a different >> > > path for a few things and I really would like to know your opinion on >> > > those things. >> > > >> > > So, currently, this is what the nss.service looks like: >> > > >> > > [Unit] >> > > Description=SSSD NSS Service responder >> > > Documentation=man:sssd.conf(5) >> > > After=sssd.service >> > > BindsTo=sssd.service >> > > >> > > [Install] >> > > Also=sssd-nss.socket >> > > >> > > [Service] >> > > ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_nss.log >> > > ExecStart=@libexecdir@/sssd/sssd_nss --debug-to-files >> > > --unprivileged-start >> > > Restart=on-failure >> > > User=@SSSD_USER@ >> > > Group=@SSSD_USER@ >> > > PermissionsStartOnly=true >> > > >> > > As you probably noticed, I've been using systemd's machinery to change >> > > the debug files' owner and to start the responder by the proper user >> > > (sssd or root). Well, it doesn't work that well as expected as systemd >> > > ends up calling initgroups(sssd, ...) in order to start any service >> > > using "sssd" user and this call is done _before_ starting the NSS >> > > responder, which will hang for the "default client timeout" (300s). >> > > >> > > Okay, we have to change it and here is where I need your help! >> > >> > The simplest solution would be to disable socket activation for NSS >> > responder. Socket activation is supposed to be used for responders that are >> > seldom used. >> >> I also wonder if this was the easiest. Just enable the service as well >> in the RPM.. > >Once we start handling local users (and we want to do that by default) >we'll have to always run as root anyway, so what's the point of dealing >with changing the user ? > Could you say the reason why we *have to* run as root?
LS _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
