** Description changed:
While reviewing the PR[1] that merged this, I came across some upgrade
- errors in the logs that disappeared after at runtime, to they seem like
+ errors in the logs that disappeared later at runtime, so they seem like
specific upgrade issues. We should take a look and understand what is
going on before the resolute beta:
-
a) permission denied on upgrade, TO CHECK LATER (bugfix for post-FF)
==> /var/log/sssd/sssd_nss.log <==
(2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to open
old memory cache file /var/lib/sss/mc/group: 13 (Permission denied)
- * ... skipping repetitive backtrace ...
+ * ... skipping repetitive backtrace ...
(2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to open
old memory cache file /var/lib/sss/mc/initgroups: 13 (Permission denied)
- * ... skipping repetitive backtrace ...
+ * ... skipping repetitive backtrace ...
(2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to open
old memory cache file /var/lib/sss/mc/sid: 13 (Permission denied)
- * ... skipping repetitive backtrace ...
+ * ... skipping repetitive backtrace ...
I'm seeing the above in the logs during a package upgrade from resolute to
the ppa builds.
I'm not immediately sure why there is this permission denied, because the
perms seem fine. The sssd user can navigate that path and read that file. I'm
thinking perhaps it's a race between chmod/chown and the new daemon starting.
This was with a configuration using kerberos for auth, and ldap for user
info (the ldap-user-group-krb5-auth test specifically: I let it run on a
vm, and then logged in and upgraded the packages).
The user is still working, so it looks like it was just something
transient so far, but we should investigate more carefully.
This is not a blocker for this PR.
-
b) another upgrade permission, with a backtrace:
==> /var/log/sssd/sssd_nss.log <==
(2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to open
old memory cache file /var/lib/sss/mc/passwd: 13 (Permission denied)
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
- * [nss] [ldb] (0x0400): server_sort:Unable to register control with
rootdse!
- * (2026-02-18 18:05:53): [nss] [server_setup] (0x0400): CONFDB:
/var/lib/sss/db/config.ldb
- * (2026-02-18 18:05:53): [nss] [confdb_init_domain_provider_and_enum]
(0x0400): No enumeration for [LDAP]
- * (2026-02-18 18:05:53): [nss] [confdb_init_domain_pwd_expire] (0x1000):
pwd_expiration_warning is -1
- * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/bin/sh in /etc/shells
- * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/sh in /etc/shells
- * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/bin/bash in /etc/shells
- * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/bash in /etc/shells
- * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/bin/rbash in /etc/shells
- * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/rbash in /etc/shells
- * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/dash in /etc/shells
- * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/screen in /etc/shells
- * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/tmux in /etc/shells
- * (2026-02-18 18:05:53): [nss] [sss_names_init_from_args] (0x0100): Using
re [^((?P<name>.+)@(?P<domain>[^@]+)|(?P<name>[^@]+))$].
- * (2026-02-18 18:05:53): [nss] [sss_fqnames_init] (0x0100): Using fq
format [%1$s@%2$s].
- * (2026-02-18 18:05:53): [nss] [sysdb_domain_init_internal] (0x0200): DB
File for LDAP: /var/lib/sss/db/cache_LDAP.ldb
- * (2026-02-18 18:05:53): [nss] [sysdb_domain_init_internal] (0x0200):
Timestamp file for LDAP: /var/lib/sss/db/timestamps_LDAP.ldb
- * (2026-02-18 18:05:53): [nss] [sysdb_ldb_connect] (0x4000): No ldb module
path set in env
- * (2026-02-18 18:05:53): [nss] [ldb] (0x0400): asq: Unable to register
control with rootdse!
- * (2026-02-18 18:05:53): [nss] [sysdb_ldb_connect] (0x4000): No ldb module
path set in env
- * (2026-02-18 18:05:53): [nss] [sss_names_init_from_args] (0x0100): Using
re
[^(((?P<domain>[^\\]+)\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<name>[^@\\]+)))$].
- * (2026-02-18 18:05:53): [nss] [sss_fqnames_init] (0x0100): Using fq
format [%1$s@%2$s].
- * (2026-02-18 18:05:53): [nss] [sss_process_init] (0x0400): Responder
initialization complete (explicitly configured)
- * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/LDAP/root@ldap] to negative cache permanently
- * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/GROUP/LDAP/root@ldap] to negative cache permanently
- * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/UID/0] to negative cache permanently
- * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/GID/0] to negative cache permanently
- * (2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to
open old memory cache file /var/lib/sss/mc/passwd: 13 (Permission denied)
+ * [nss] [ldb] (0x0400): server_sort:Unable to register control with
rootdse!
+ * (2026-02-18 18:05:53): [nss] [server_setup] (0x0400): CONFDB:
/var/lib/sss/db/config.ldb
+ * (2026-02-18 18:05:53): [nss] [confdb_init_domain_provider_and_enum]
(0x0400): No enumeration for [LDAP]
+ * (2026-02-18 18:05:53): [nss] [confdb_init_domain_pwd_expire] (0x1000):
pwd_expiration_warning is -1
+ * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/bin/sh in /etc/shells
+ * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/sh in /etc/shells
+ * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/bin/bash in /etc/shells
+ * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/bash in /etc/shells
+ * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/bin/rbash in /etc/shells
+ * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/rbash in /etc/shells
+ * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/dash in /etc/shells
+ * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/screen in /etc/shells
+ * (2026-02-18 18:05:53): [nss] [sss_get_etc_shells] (0x0400): Found shell
/usr/bin/tmux in /etc/shells
+ * (2026-02-18 18:05:53): [nss] [sss_names_init_from_args] (0x0100): Using
re [^((?P<name>.+)@(?P<domain>[^@]+)|(?P<name>[^@]+))$].
+ * (2026-02-18 18:05:53): [nss] [sss_fqnames_init] (0x0100): Using fq
format [%1$s@%2$s].
+ * (2026-02-18 18:05:53): [nss] [sysdb_domain_init_internal] (0x0200): DB
File for LDAP: /var/lib/sss/db/cache_LDAP.ldb
+ * (2026-02-18 18:05:53): [nss] [sysdb_domain_init_internal] (0x0200):
Timestamp file for LDAP: /var/lib/sss/db/timestamps_LDAP.ldb
+ * (2026-02-18 18:05:53): [nss] [sysdb_ldb_connect] (0x4000): No ldb module
path set in env
+ * (2026-02-18 18:05:53): [nss] [ldb] (0x0400): asq: Unable to register
control with rootdse!
+ * (2026-02-18 18:05:53): [nss] [sysdb_ldb_connect] (0x4000): No ldb module
path set in env
+ * (2026-02-18 18:05:53): [nss] [sss_names_init_from_args] (0x0100): Using
re
[^(((?P<domain>[^\\]+)\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<name>[^@\\]+)))$].
+ * (2026-02-18 18:05:53): [nss] [sss_fqnames_init] (0x0100): Using fq
format [%1$s@%2$s].
+ * (2026-02-18 18:05:53): [nss] [sss_process_init] (0x0400): Responder
initialization complete (explicitly configured)
+ * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/LDAP/root@ldap] to negative cache permanently
+ * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/GROUP/LDAP/root@ldap] to negative cache permanently
+ * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/UID/0] to negative cache permanently
+ * (2026-02-18 18:05:53): [nss] [sss_ncache_set_str] (0x0400): Adding
[NCE/GID/0] to negative cache permanently
+ * (2026-02-18 18:05:53): [nss] [sss_mc_destroy_file] (0x0020): Failed to
open old memory cache file /var/lib/sss/mc/passwd: 13 (Permission denied)
********************** BACKTRACE DUMP ENDS HERE
*********************************
Same as previous comment. Not a blocker for this PR.
-
c) huge backtrace in pam, too large to paste here. So just the first and last
parts:
==> /var/log/sssd/sssd_pam.log <==
(2026-02-18 18:05:53): [pam] [orderly_shutdown] (0x3f7c0): SIGTERM: killing
children
(2026-02-18 18:05:53): [pam] [orderly_shutdown] (0x3f7c0): Shutting down
(status = 0)
(2026-02-18 18:05:53): [pam] [cleanup_preauth_indicator] (0x0040): Failed to
remove preauth indicator file [/var/lib/sss/pubconf/pam_preauth_available] 13
[Permission denied].
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
- * [pam] [ldb] (0x0400): server_sort:Unable to register control with
rootdse!
- * (2026-02-18 18:01:38): [pam] [server_setup] (0x0400): CONFDB:
/var/lib/sss/db/config.ldb
+ * [pam] [ldb] (0x0400): server_sort:Unable to register control with
rootdse!
+ * (2026-02-18 18:01:38): [pam] [server_setup] (0x0400): CONFDB:
/var/lib/sss/db/config.ldb
...
- * (2026-02-18 18:02:06): [pam] [sss_ncache_set_str] (0x0400): [CID#4]
Adding [NCE/USER/LDAP/ubuntu@ldap] to negative cache
- * (2026-02-18 18:02:06): [pam] [cache_req_global_ncache_add] (0x2000):
[CID#4] CR #10: This request type does not support global negative cache
- * (2026-02-18 18:02:06): [pam] [cache_req_process_result] (0x0400):
[CID#4] CR #10: Finished: Not found
- * (2026-02-18 18:02:06): [pam] [pam_reply] (0x4000): [CID#4] pam_reply
initially called with result [10]: User not known to the underlying
authentication module. this result might be changed during processing
- * (2026-02-18 18:02:06): [pam] [pam_reply] (0x0400): [CID#4] Local auth
policy allowed: smartcard [False], passkey [False]
- * (2026-02-18 18:02:06): [pam] [pam_reply] (0x0200): [CID#4] blen: 8
- * (2026-02-18 18:02:06): [pam] [pam_reply] (0x0200): [CID#4] Returning
[10]: User not known to the underlying authentication module to the client
- * (2026-02-18 18:02:36): [pam] [setup_client_idle_timer] (0x4000): Idle
timer re-set for client [0x60199edd7b30][17]
- * (2026-02-18 18:03:06): [pam] [setup_client_idle_timer] (0x4000): Idle
timer re-set for client [0x60199edd7b30][17]
- * (2026-02-18 18:03:36): [pam] [client_idle_handler] (0x2000): Terminating
idle client [0x60199edd7b30][17]
- * (2026-02-18 18:03:36): [pam] [client_close_fn] (0x2000): Terminated
client [0x60199edd7b30][17]
- * (2026-02-18 18:05:53): [pam] [sss_responder_ctx_destructor] (0x0400):
Responder is being shut down
- * (2026-02-18 18:05:53): [pam] [cleanup_preauth_indicator] (0x0040):
Failed to remove preauth indicator file
[/var/lib/sss/pubconf/pam_preauth_available] 13 [Permission denied].
+ * (2026-02-18 18:02:06): [pam] [sss_ncache_set_str] (0x0400): [CID#4]
Adding [NCE/USER/LDAP/ubuntu@ldap] to negative cache
+ * (2026-02-18 18:02:06): [pam] [cache_req_global_ncache_add] (0x2000):
[CID#4] CR #10: This request type does not support global negative cache
+ * (2026-02-18 18:02:06): [pam] [cache_req_process_result] (0x0400):
[CID#4] CR #10: Finished: Not found
+ * (2026-02-18 18:02:06): [pam] [pam_reply] (0x4000): [CID#4] pam_reply
initially called with result [10]: User not known to the underlying
authentication module. this result might be changed during processing
+ * (2026-02-18 18:02:06): [pam] [pam_reply] (0x0400): [CID#4] Local auth
policy allowed: smartcard [False], passkey [False]
+ * (2026-02-18 18:02:06): [pam] [pam_reply] (0x0200): [CID#4] blen: 8
+ * (2026-02-18 18:02:06): [pam] [pam_reply] (0x0200): [CID#4] Returning
[10]: User not known to the underlying authentication module to the client
+ * (2026-02-18 18:02:36): [pam] [setup_client_idle_timer] (0x4000): Idle
timer re-set for client [0x60199edd7b30][17]
+ * (2026-02-18 18:03:06): [pam] [setup_client_idle_timer] (0x4000): Idle
timer re-set for client [0x60199edd7b30][17]
+ * (2026-02-18 18:03:36): [pam] [client_idle_handler] (0x2000): Terminating
idle client [0x60199edd7b30][17]
+ * (2026-02-18 18:03:36): [pam] [client_close_fn] (0x2000): Terminated
client [0x60199edd7b30][17]
+ * (2026-02-18 18:05:53): [pam] [sss_responder_ctx_destructor] (0x0400):
Responder is being shut down
+ * (2026-02-18 18:05:53): [pam] [cleanup_preauth_indicator] (0x0040):
Failed to remove preauth indicator file
[/var/lib/sss/pubconf/pam_preauth_available] 13 [Permission denied].
********************** BACKTRACE DUMP ENDS HERE
*********************************
Also not a blocker for this PR.
-
-
1.
https://code.launchpad.net/~jj/ubuntu/+source/sssd/+git/sssd/+merge/500565
** Tags added: server-todo
** Changed in: sssd (Ubuntu)
Importance: Undecided => High
** Changed in: sssd (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142140
Title:
rootless sssd upgrade issues
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2142140/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
