On (15/11/19 05:23), Lawrence Kearney wrote:
>SSSD team,
>Just checking in on this post. Any thoughts why the socket based responders
>would be crashing? Is there any additional info I could provide that would
>be useful?
>
>Thank you as always!
>
sssd on rhel7 has hardcoded unprivileged user "sssd" for responders.
And mixing privileged sssd and unprivileged users is not a good idea.
sh# rpm -q sssd-common
sssd-common-1.16.4-21.el7_7.1.x86_64
sh# systemctl cat sssd-pam.service
# /usr/lib/systemd/system/sssd-pam.service
[Unit]
Description=SSSD PAM Service responder
Documentation=man:sssd.conf(5)
After=sssd.service
BindsTo=sssd.service
RefuseManualStart=true
[Install]
Also=sssd-pam.socket sssd-pam-priv.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/sysconfig/sssd
ExecStartPre=-/bin/chown sssd:sssd /var/log/sssd/sssd_pam.log
^^^^^^^^^
here
ExecStart=/usr/libexec/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
User=sssd
Group=sssd
^^^^^
and here
PermissionsStartOnly=true
It works well when sssd is running fully in unprivileged mode.
"user = sssd" in "sssd" section of sssd.conf
Other option would be to override service files for responder in
/etc/systmd/system
But I would like to ask why do you want to use socket activated responders on
rhel7?
LS
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
