5:18 a.m.
I do have a sytemd service unit that uses an IPA used. However, upon
reboot it seems that that particular IPA user is not available upon
start of that particular systemd service.
Using "After=sssd.service" is not sufficient.
What would you recommend in this case?
(I am looking for a reliable systemd solution and do not want to rely on
a script checking for a particular user with getent for example)
Cheers,
Ronald
9:28 a.m.
New subject: Ensure that IPA user can be resolved upon SystemD-Unit start
Ronald Wimmer via FreeIPA-users wrote:
I do have a sytemd service unit that uses an IPA used. However, upon
reboot it seems that that particular IPA user is not available upon
start of that particular systemd service.
Using "After=sssd.service" is not sufficient.
What would you recommend in this case?
(I am looking for a reliable systemd solution and do not want to rely on
a script checking for a particular user with getent for example)
You may want to cross-post to the sssd-users list.
I'd try nss-user-lookup.target instead. According to systemd.special(7):
nss-user-lookup.target
A target that should be used as synchronization point for all regular
UNIX user/group name service lookups. Note that this is independent of
host/network name lookups for which nss-lookup.target should be used.
All services for which the availability of the full user/group database
is essential should be ordered after this target, but not pull it in.
All services which provide parts of the user/group database should be
ordered before this target, and pull it in. Note that this unit is only
relevant for regular users and groups — system users and groups are
required to be resolvable during earliest boot already, and hence do not
need any special ordering against this target.
rob
10:19 a.m.
New subject: Ensure that IPA user can be resolved upon SystemD-Unit start
On 12.01.23 16:28, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
> I do have a sytemd service unit that uses an IPA used. However, upon
> reboot it seems that that particular IPA user is not available upon
> start of that particular systemd service.
>
> Using "After=sssd.service" is not sufficient.
>
> What would you recommend in this case?
> (I am looking for a reliable systemd solution and do not want to rely on
> a script checking for a particular user with getent for example)
You may want to cross-post to the sssd-users list.
I'd try nss-user-lookup.target instead. According to systemd.special(7):
nss-user-lookup.target
A target that should be used as synchronization point for all regular
UNIX user/group name service lookups. Note that this is independent of
host/network name lookups for which nss-lookup.target should be used.
All services for which the availability of the full user/group database
is essential should be ordered after this target, but not pull it in.
All services which provide parts of the user/group database should be
ordered before this target, and pull it in. Note that this unit is only
relevant for regular users and groups — system users and groups are
required to be resolvable during earliest boot already, and hence do not
need any special ordering against this target.
Thanks for your input Rob! Unfortunately, nss-lookup.target also seems
not to be sufficient. I've asked in the SSSD mailing list:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Cheers,
Ronald
2:56 a.m.
New subject: Ensure that IPA user can be resolved upon SystemD-Unit start
On 12.01.23 17:19, Ronald Wimmer via FreeIPA-users wrote:
On 12.01.23 16:28, Rob Crittenden wrote:
> Ronald Wimmer via FreeIPA-users wrote:
>> I do have a sytemd service unit that uses an IPA used. However, upon
>> reboot it seems that that particular IPA user is not available upon
>> start of that particular systemd service.
>>
>> Using "After=sssd.service" is not sufficient.
>>
>> What would you recommend in this case?
>> (I am looking for a reliable systemd solution and do not want to rely on
>> a script checking for a particular user with getent for example)
>
> You may want to cross-post to the sssd-users list.
>
> I'd try nss-user-lookup.target instead. According to systemd.special(7):
>
> nss-user-lookup.target
>
> A target that should be used as synchronization point for all regular
> UNIX user/group name service lookups. Note that this is independent of
> host/network name lookups for which nss-lookup.target should be used.
> All services for which the availability of the full user/group database
> is essential should be ordered after this target, but not pull it in.
> All services which provide parts of the user/group database should be
> ordered before this target, and pull it in. Note that this unit is only
> relevant for regular users and groups — system users and groups are
> required to be resolvable during earliest boot already, and hence do not
> need any special ordering against this target.
Thanks for your input Rob! Unfortunately, nss-lookup.target also seems
not to be sufficient. I've asked in the SSSD mailing list:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
This is another topic I need to bump as there was no response in the
SSSD users mailing list. Maybe Pavel can give some input here?
Cheers,
Ron
434
days inactive
470
days old
freeipa-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Rob Crittenden -
Ronald Wimmer