I've changed my sssd config to use `/etc/sssd/conf.d` instead of putting all in `/etc/sssd/sssd.conf`. When upgrading this morning to the latest FreeIPA, I got an error:
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NoDomainError: linuxa.teluqtest.net The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
I think I traced the problem to the SSSDConfig python module: ``` def sssd_update(): sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() # upgrade domain domain = sssdconfig.get_domain(str(api.env.domain)) [...] ``` https://github.com/freeipa/freeipa/blob/563f20e2a4dd63e6abdec1da65a2c0f95a49...
To fix the problem, I copied the content of `/etc/sssd/conf.d/*` to `/etc/sssd/sssd.conf` and successfully run the `ipa-server-upgrade` command.
But now, I’m not sure where I should report this… Should I report to FreeIPA? https://pagure.io/freeipa/issues Or should I report this upstream to SSSDConfig? I cannot find where that would be…
But my use case might be too niche to get a fix on this… I use puppet to configure my servers, and the `sssd` module I use only supports adding configs to `conf.d` directory, instead of directly in `sssd.conf`… https://github.com/simp/pupmod-simp-sssd Maybe I should use another module that support adding config in `sssd.conf`?
What are your thoughts on this? Thanks
Patrick Brideau via FreeIPA-users wrote:
I've changed my sssd config to use `/etc/sssd/conf.d` instead of putting all in `/etc/sssd/sssd.conf`. When upgrading this morning to the latest FreeIPA, I got an error:
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NoDomainError: linuxa.teluqtest.net The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
I think I traced the problem to the SSSDConfig python module:
def sssd_update(): sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() # upgrade domain domain = sssdconfig.get_domain(str(api.env.domain)) [...]https://github.com/freeipa/freeipa/blob/563f20e2a4dd63e6abdec1da65a2c0f95a49...
To fix the problem, I copied the content of `/etc/sssd/conf.d/*` to `/etc/sssd/sssd.conf` and successfully run the `ipa-server-upgrade` command.
But now, I’m not sure where I should report this… Should I report to FreeIPA? https://pagure.io/freeipa/issues Or should I report this upstream to SSSDConfig? I cannot find where that would be…
But my use case might be too niche to get a fix on this… I use puppet to configure my servers, and the `sssd` module I use only supports adding configs to `conf.d` directory, instead of directly in `sssd.conf`… https://github.com/simp/pupmod-simp-sssd Maybe I should use another module that support adding config in `sssd.conf`?
What are your thoughts on this? Thanks
SSSD provides the SSSDConfig python interface so you'd want to file any bug there.
Using snippets is a documented use-case so I don't think you're wrong for using them.
rob
In my process of opening the bug in the SSSD github, I dug deeper and found it is actually the expected behavior from the module:
When called without argument, the function `sssdconfig.import_config()` import only the `sssd.conf` https://github.com/SSSD/sssd/blob/6958eecde6cd4f7c5b614677c218ea12e2fac53a/s...
```python if not configfile: #TODO: get this from a global setting configfile = '@sysconfdir@/sssd/sssd.conf' ```
I’m not sure if it would then be the responsibility of FreeIPA to import config in the `conf.d` directory, instead of relying on the default config to load entire config? If you don’t think so, I would be glad to open a bug report on the SSSD side. Otherwise, maybe I should open with FreeIPA? Thanks for your input Rob.
Patrick Brideau via FreeIPA-users wrote:
In my process of opening the bug in the SSSD github, I dug deeper and found it is actually the expected behavior from the module:
When called without argument, the function `sssdconfig.import_config()` import only the `sssd.conf` https://github.com/SSSD/sssd/blob/6958eecde6cd4f7c5b614677c218ea12e2fac53a/s...
if not configfile: #TODO: get this from a global setting configfile = '@sysconfdir@/sssd/sssd.conf'I’m not sure if it would then be the responsibility of FreeIPA to import config in the `conf.d` directory, instead of relying on the default config to load entire config? If you don’t think so, I would be glad to open a bug report on the SSSD side. Otherwise, maybe I should open with FreeIPA? Thanks for your input Rob.
I'm not sure what the answer is. I guess I'd have expected the python class to pull in all of its configuration in the same way that the main binary does. I'll ping the SSSD guys to see what's going on.
rob
rob
On Пан, 29 вер 2025, Rob Crittenden via FreeIPA-users wrote:
Patrick Brideau via FreeIPA-users wrote:
In my process of opening the bug in the SSSD github, I dug deeper and found it is actually the expected behavior from the module:
When called without argument, the function `sssdconfig.import_config()` import only the `sssd.conf` https://github.com/SSSD/sssd/blob/6958eecde6cd4f7c5b614677c218ea12e2fac53a/s...
if not configfile: #TODO: get this from a global setting configfile = '@sysconfdir@/sssd/sssd.conf'I’m not sure if it would then be the responsibility of FreeIPA to import config in the `conf.d` directory, instead of relying on the default config to load entire config? If you don’t think so, I would be glad to open a bug report on the SSSD side. Otherwise, maybe I should open with FreeIPA? Thanks for your input Rob.
I'm not sure what the answer is. I guess I'd have expected the python class to pull in all of its configuration in the same way that the main binary does. I'll ping the SSSD guys to see what's going on.
I agree. The semantics should have been all the time 'read existing SSSD configuration', not 'read main sssd.conf'. SSSDConfig class logic predates creating snippets without the main sssd.conf, but that is not an excuse. So it is a bug that just needs a fix, in my opinion.
Alexander Bokovoy wrote:
On Пан, 29 вер 2025, Rob Crittenden via FreeIPA-users wrote:
Patrick Brideau via FreeIPA-users wrote:
In my process of opening the bug in the SSSD github, I dug deeper and found it is actually the expected behavior from the module:
When called without argument, the function `sssdconfig.import_config()` import only the `sssd.conf` https://github.com/SSSD/sssd/blob/6958eecde6cd4f7c5b614677c218ea12e2fac53a/s...
if not configfile: #TODO: get this from a global setting configfile = '@sysconfdir@/sssd/sssd.conf'I’m not sure if it would then be the responsibility of FreeIPA to import config in the `conf.d` directory, instead of relying on the default config to load entire config? If you don’t think so, I would be glad to open a bug report on the SSSD side. Otherwise, maybe I should open with FreeIPA? Thanks for your input Rob.
I'm not sure what the answer is. I guess I'd have expected the python class to pull in all of its configuration in the same way that the main binary does. I'll ping the SSSD guys to see what's going on.
I agree. The semantics should have been all the time 'read existing SSSD configuration', not 'read main sssd.conf'. SSSDConfig class logic predates creating snippets without the main sssd.conf, but that is not an excuse. So it is a bug that just needs a fix, in my opinion.
The SSSD acknowledges this is a missing feature so you can go ahead and open an upstream issue there.
rob
Thanks for your inputs.
I opened an issue: https://github.com/SSSD/sssd/issues/8121
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Patrick Brideau -
Rob Crittenden