Hi folks,
sssd 1.16.3-1 (rebuilt for Debian 9), systemd
At boot time sssd_nss fails to initialize. systemctl status sssd shows
root@srvl061:~# systemctl status sssd * sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2018-11-22 11:57:30 CET; 46s ago Main PID: 1312 (sssd) Tasks: 5 (limit: 7372) CGroup: /system.slice/sssd.service |-1312 /usr/sbin/sssd -i --logger=files |-1345 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files |-1533 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files |-1534 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files `-1535 /usr/lib/x86_64-linux-gnu/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Nov 22 11:57:25 srvl061.ac.example.com systemd[1]: Starting System Security Services Daemon... Nov 22 11:57:25 srvl061.ac.example.com sssd[1312]: Starting up Nov 22 11:57:25 srvl061.ac.example.com sssd[be[1345]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1533]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1534]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1535]: Starting up Nov 22 11:57:30 srvl061.ac.example.com systemd[1]: Started System Security Services Daemon. Nov 22 11:57:45 srvl061.ac.example.com sssd[be[1345]: Backend is offline
Apparently this is a problem of resolvconf generating /etc/\ resolv.conf at boot time. If I replace it by a static file, then the problem is gone.
Question is, how can I tell systemd to wait for resolv.conf? Is there some timeout in the backend I could adjust? Does it wait for the network at all?
Every helpful comment is highly appreciated
Regards Harri
On Thu, Nov 22, 2018 at 12:15:45PM +0100, Harald Dunkel wrote:
Hi folks,
sssd 1.16.3-1 (rebuilt for Debian 9), systemd
At boot time sssd_nss fails to initialize. systemctl status sssd shows
root@srvl061:~# systemctl status sssd
- sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2018-11-22 11:57:30 CET; 46s ago
Main PID: 1312 (sssd) Tasks: 5 (limit: 7372) CGroup: /system.slice/sssd.service |-1312 /usr/sbin/sssd -i --logger=files |-1345 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files |-1533 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files |-1534 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files `-1535 /usr/lib/x86_64-linux-gnu/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Nov 22 11:57:25 srvl061.ac.example.com systemd[1]: Starting System Security Services Daemon... Nov 22 11:57:25 srvl061.ac.example.com sssd[1312]: Starting up Nov 22 11:57:25 srvl061.ac.example.com sssd[be[1345]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1533]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1534]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1535]: Starting up Nov 22 11:57:30 srvl061.ac.example.com systemd[1]: Started System Security Services Daemon. Nov 22 11:57:45 srvl061.ac.example.com sssd[be[1345]: Backend is offline
Apparently this is a problem of resolvconf generating /etc/\ resolv.conf at boot time. If I replace it by a static file, then the problem is gone.
Question is, how can I tell systemd to wait for resolv.conf? Is there some timeout in the backend I could adjust? Does it wait for the network at all?
Every helpful comment is highly appreciated
Does https://stackoverflow.com/questions/32873571/debian-systemd-service-starts-b...
As an alternative it looks like systemd has something similar to resolvconf https://github.com/systemd/systemd/issues/7202 maybe this is something which works for you?
As another alternative you can add an ExecStartPre script to sssd.service which waits until /etc/resolv.conf exists.
HTH
bye, Sumit
Regards Harri _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi
see https://unix.stackexchange.com/questions/210604/how-to-write-a-systemd-servi... maybe that solves it.
Am 22.11.18 um 12:32 schrieb Sumit Bose:
On Thu, Nov 22, 2018 at 12:15:45PM +0100, Harald Dunkel wrote:
Hi folks,
sssd 1.16.3-1 (rebuilt for Debian 9), systemd
At boot time sssd_nss fails to initialize. systemctl status sssd shows
root@srvl061:~# systemctl status sssd
- sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2018-11-22 11:57:30 CET; 46s ago
Main PID: 1312 (sssd) Tasks: 5 (limit: 7372) CGroup: /system.slice/sssd.service |-1312 /usr/sbin/sssd -i --logger=files |-1345 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files |-1533 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files |-1534 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files `-1535 /usr/lib/x86_64-linux-gnu/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Nov 22 11:57:25 srvl061.ac.example.com systemd[1]: Starting System Security Services Daemon... Nov 22 11:57:25 srvl061.ac.example.com sssd[1312]: Starting up Nov 22 11:57:25 srvl061.ac.example.com sssd[be[1345]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1533]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1534]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1535]: Starting up Nov 22 11:57:30 srvl061.ac.example.com systemd[1]: Started System Security Services Daemon. Nov 22 11:57:45 srvl061.ac.example.com sssd[be[1345]: Backend is offline
Apparently this is a problem of resolvconf generating /etc/\ resolv.conf at boot time. If I replace it by a static file, then the problem is gone.
Question is, how can I tell systemd to wait for resolv.conf? Is there some timeout in the backend I could adjust? Does it wait for the network at all?
Every helpful comment is highly appreciated
Does https://stackoverflow.com/questions/32873571/debian-systemd-service-starts-b...
As an alternative it looks like systemd has something similar to resolvconf https://github.com/systemd/systemd/issues/7202 maybe this is something which works for you?
As another alternative you can add an ExecStartPre script to sssd.service which waits until /etc/resolv.conf exists.
HTH
bye, Sumit
Regards Harri _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi,
On 11/22/18 1:28 PM, Siegfried Eichhorn wrote:
Hi
see https://unix.stackexchange.com/questions/210604/how-to-write-a-systemd-servi... maybe that solves it.
I am not sure if waiting for the interface solves the problem. It should wait for DNS to succeed, shouldn't it?
Obviously I missed to add the backend log file. Here are the important parts, AFAICT:
: (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [sdap_id_setup_tasks] (0x0400): Setting up cleanup task for example.com (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [be_fo_set_srv_lookup_plugin] (0x0400): Trying to set SRV lookup plugin to DNS (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [be_fo_set_srv_lookup_plugin] (0x0400): SRV lookup plugin is now DNS (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [sysdb_get_certmap] (0x0400): No certificate maps found. (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [dp_copy_options_ex] (0x0400): Option ipa_domain has value example.com (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [dp_copy_options_ex] (0x0400): Option ipa_server has value _srv_, ipa0.example.com (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [dp_copy_options_ex] (0x0400): Option ipa_backup_server has no value (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [dp_copy_options_ex] (0x0400): Option ipa_hostname has value srvl061.ac.example.com : : (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'example.com' (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.example.com' (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [resolv_discover_srv_done] (0x0040): SRV query failed [11]: Could not contact DNS servers (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [resolve_srv_done] (0x0040): Unable to resolve SRV [1432158237]: SRV lookup error (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned [1432158237]: SRV lookup error (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ipa0.example.com' in files (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [set_server_common_status] (0x0100): Marking server 'ipa0.example.com' as 'resolving name' (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ipa0.example.com' in files (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ipa0.example.com' in DNS (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [fo_resolve_service_done] (0x0020): Failed to resolve server 'ipa0.example.com': Could not contact DNS servers (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [set_server_common_status] (0x0100): Marking server 'ipa0.example.com' as 'not working' (Thu Nov 22 11:57:31 2018) [sssd[be[example.com]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (ipa0.example.com), resolver returned [5]: Input/output error
Most easy workaround seems to be to add ipa0.example.com to /etc/hosts. There is no problem with sysvinit, so changing init might be an option, too.
I would prefer if the backend waits for DNS a little bit longer, of course. Surely systemctl status sssd should not say "running", while the backend is dead.
Regards Harri
On 11/22/18 2:23 PM, Harald Dunkel wrote:
I am not sure if waiting for the interface solves the problem. It should wait for DNS to succeed, shouldn't it? [..] I would prefer if the backend waits for DNS a little bit longer, of course.
Hmm, from my understanding the backend should be available after DNS resolving works again.
Does the backend stay dead after /etc/resolv.conf being corrected?
Surely systemctl status sssd should not say "running", while the backend is dead.
Not sure about that. The NSS and PAM responders serve cached data from the local DB even in the case all backends are marked dead. Of course this does not help you if there's no cached data available yet.
Ciao, Michael.
Hi Michael,
On 11/22/18 2:55 PM, Michael Ströder wrote:
On 11/22/18 2:23 PM, Harald Dunkel wrote:
I am not sure if waiting for the interface solves the problem. It should wait for DNS to succeed, shouldn't it? [..] I would prefer if the backend waits for DNS a little bit longer, of course.
Hmm, from my understanding the backend should be available after DNS resolving works again.
Does the backend stay dead after /etc/resolv.conf being corrected?
Yes. I have to restart sssd to make it work. If I don't, then sssd_nss complains
: (Thu Nov 22 10:24:00 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Thu Nov 22 10:24:00 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Thu Nov 22 10:24:00 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] : (Thu Nov 22 10:51:06 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Thu Nov 22 10:51:06 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Thu Nov 22 10:52:01 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Thu Nov 22 10:52:01 2018) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] :
Surely systemctl status sssd should not say "running", while the backend is dead.
Not sure about that. The NSS and PAM responders serve cached data from the local DB even in the case all backends are marked dead. Of course this does not help you if there's no cached data available yet.
I understand that the local database is an important part of sssd, but it should be possible to separate accessing the network services from providing cached data.
IMHO the startup procedure should not say "success", hiding the problem until the cached data expires.
Not to mention that there was no cached data in my case, because sssd never ran before.
Regards Harri
On 11/23/18 11:03 AM, Harald Dunkel wrote:
On 11/22/18 2:55 PM, Michael Ströder wrote:
On 11/22/18 2:23 PM, Harald Dunkel wrote:
I am not sure if waiting for the interface solves the problem. It should wait for DNS to succeed, shouldn't it? [..] I would prefer if the backend waits for DNS a little bit longer, of course.
Does the backend stay dead after /etc/resolv.conf being corrected?
Yes. I have to restart sssd to make it work. If I don't, then sssd_nss complains
Hmm, AFAIK sssd aims at providing NSS/PAM services also on laptops where the DNS config might change every now and then. Therefore I'd consider this to be a bug anyway.
Surely systemctl status sssd should not say "running", while the backend is dead.
Not sure about that. The NSS and PAM responders serve cached data from the local DB even in the case all backends are marked dead. Of course this does not help you if there's no cached data available yet.
I understand that the local database is an important part of sssd, but it should be possible to separate accessing the network services from providing cached data.
Disclaimer: I'm not involved in sssd development.
It's a single process started by systemd. Your wish would require much work distinguishing various cases of failure during startup. Therefore I'd argue that fixing the reconnection bug is better than putting effort into this.
Ciao, Michael.
Hi,
I've just read your complaints about not-working sssd. A solution for your problem could be to edit sssd.service and add an "After=.." directive in the [Unit] section to delay sssd.
Best regards
sssd-users@lists.fedorahosted.org