Public bug reported: While reviewing the PR[1] that merged this, I came across some upgrade errors in the logs that disappeared after at runtime, to they seem like specific upgrade issues. We should take a look and understand what is going on before the resolute beta:
a) permission denied on upgrade, TO CHECK LATER (bugfix for post-FF) ==> /var/log/sssd/sssd_nss.log <== (2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to open old memory cache file /var/lib/sss/mc/group: 13 (Permission denied) * ... skipping repetitive backtrace ... (2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to open old memory cache file /var/lib/sss/mc/initgroups: 13 (Permission denied) * ... skipping repetitive backtrace ... (2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to open old memory cache file /var/lib/sss/mc/sid: 13 (Permission denied) * ... skipping repetitive backtrace ... I'm seeing the above in the logs during a package upgrade from resolute to the ppa builds. I'm not immediately sure why there is this permission denied, because the perms seem fine. The sssd user can navigate that path and read that file. I'm thinking perhaps it's a race between chmod/chown and the new daemon starting. This was with a configuration using kerberos for auth, and ldap for user info (the ldap-user-group-krb5-auth test specifically: I let it run on a vm, and then logged in and upgraded the packages). The user is still working, so it looks like it was just something transient so far, but we should investigate more carefully. This is not a blocker for this PR. b) another upgrade permission, with a backtrace: ==> /var/log/sssd/sssd_nss.log <== (2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to open old memory cache file /var/lib/sss/mc/passwd: 13 (Permission denied) ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * [nss] [ldb] (0x0400): server_sort:Unable to register control with rootdse! * (2026-02-18 18:05:53): [nss] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb * (2026-02-18 18:05:53): [nss] [confdb_init_domain_provider_and_enum] (0x0400): No enumeration for [LDAP] * (2026-02-18 18:05:53): [nss] [confdb_init_domain_pwd_expire] (0x1000): pwd_expiration_warning is -1 * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/sh in /etc/shells * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/bash in /etc/shells * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell /bin/rbash in /etc/shells * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/rbash in /etc/shells * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/dash in /etc/shells * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/screen in /etc/shells * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/tmux in /etc/shells * (2026-02-18 18:05:53): [nss] [sss_names_init_from_args] (0x0100): Using re [^((?P<name>.+)@(?P<domain>[^@]+)|(?P<name>[^@]+))$]. * (2026-02-18 18:05:53): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. * (2026-02-18 18:05:53): [nss] [sysdb_domain_init_internal] (0x0200): DB File for LDAP: /var/lib/sss/db/cache_LDAP.ldb * (2026-02-18 18:05:53): [nss] [sysdb_domain_init_internal] (0x0200): Timestamp file for LDAP: /var/lib/sss/db/timestamps_LDAP.ldb * (2026-02-18 18:05:53): [nss] [sysdb_ldb_connect] (0x4000): No ldb module path set in env * (2026-02-18 18:05:53): [nss] [ldb] (0x0400): asq: Unable to register control with rootdse! * (2026-02-18 18:05:53): [nss] [sysdb_ldb_connect] (0x4000): No ldb module path set in env * (2026-02-18 18:05:53): [nss] [sss_names_init_from_args] (0x0100): Using re [^(((?P<domain>[^\\]+)\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<name>[^@\\]+)))$]. * (2026-02-18 18:05:53): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. * (2026-02-18 18:05:53): [nss] [sss_process_init] (0x0400): Responder initialization complete (explicitly configured) * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/LDAP/root@ldap] to negative cache permanently * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/LDAP/root@ldap] to negative cache permanently * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache permanently * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/GID/0] to negative cache permanently * (2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to open old memory cache file /var/lib/sss/mc/passwd: 13 (Permission denied) ********************** BACKTRACE DUMP ENDS HERE ********************************* Same as previous comment. Not a blocker for this PR. c) huge backtrace in pam, too large to paste here. So just the first and last parts: ==> /var/log/sssd/sssd_pam.log <== (2026-02-18 18:05:53): [pam] [orderly_shutdown] (0x3f7c0): SIGTERM: killing children (2026-02-18 18:05:53): [pam] [orderly_shutdown] (0x3f7c0): Shutting down (status = 0) (2026-02-18 18:05:53): [pam] [cleanup_preauth_indicator] (0x0040): Failed to remove preauth indicator file [/var/lib/sss/pubconf/pam_preauth_available] 13 [Permission denied]. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * [pam] [ldb] (0x0400): server_sort:Unable to register control with rootdse! * (2026-02-18 18:01:38): [pam] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb ... * (2026-02-18 18:02:06): [pam] [sss_ncache_set_str] (0x0400): [CID#4] Adding [NCE/USER/LDAP/ubuntu@ldap] to negative cache * (2026-02-18 18:02:06): [pam] [cache_req_global_ncache_add] (0x2000): [CID#4] CR #10: This request type does not support global negative cache * (2026-02-18 18:02:06): [pam] [cache_req_process_result] (0x0400): [CID#4] CR #10: Finished: Not found * (2026-02-18 18:02:06): [pam] [pam_reply] (0x4000): [CID#4] pam_reply initially called with result [10]: User not known to the underlying authentication module. this result might be changed during processing * (2026-02-18 18:02:06): [pam] [pam_reply] (0x0400): [CID#4] Local auth policy allowed: smartcard [False], passkey [False] * (2026-02-18 18:02:06): [pam] [pam_reply] (0x0200): [CID#4] blen: 8 * (2026-02-18 18:02:06): [pam] [pam_reply] (0x0200): [CID#4] Returning [10]: User not known to the underlying authentication module to the client * (2026-02-18 18:02:36): [pam] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x60199edd7b30][17] * (2026-02-18 18:03:06): [pam] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x60199edd7b30][17] * (2026-02-18 18:03:36): [pam] [client_idle_handler] (0x2000): Terminating idle client [0x60199edd7b30][17] * (2026-02-18 18:03:36): [pam] [client_close_fn] (0x2000): Terminated client [0x60199edd7b30][17] * (2026-02-18 18:05:53): [pam] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down * (2026-02-18 18:05:53): [pam] [cleanup_preauth_indicator] (0x0040): Failed to remove preauth indicator file [/var/lib/sss/pubconf/pam_preauth_available] 13 [Permission denied]. ********************** BACKTRACE DUMP ENDS HERE ********************************* Also not a blocker for this PR. 1. https://code.launchpad.net/~jj/ubuntu/+source/sssd/+git/sssd/+merge/500565 ** Affects: sssd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142140 Title: rootless sssd upgrade issues To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2142140/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
