Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSSD broken on stable 41.20241230.1 #2032

Closed
rayrayrayraydog opened this issue Dec 30, 2024 · 2 comments
Closed

SSSD broken on stable 41.20241230.1 #2032

rayrayrayraydog opened this issue Dec 30, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@rayrayrayraydog
Copy link

Describe the bug

We have had a regression between 41.20241216 and 41.20241230.1 w.r.t. SSSD, similar to Issue 1818 but not EXACTLY the same this time.

SSSD once again fails to start:

root@bazzite:~# systemctl status sssd
× sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf, 50-keep-warm.conf
     Active: failed (Result: exit-code) since Mon 2024-12-30 13:26:53 EST; 6min ago
 Invocation: 205bfdef18344c6aac6f47c7eb176ee3
    Process: 1936 ExecStartPre=/bin/chown -f -R root:sssd /etc/sssd (code=exited, status=0/SUCCESS)
    Process: 1938 ExecStartPre=/bin/chmod -f -R g+r /etc/sssd (code=exited, status=0/SUCCESS)
    Process: 1940 ExecStartPre=/bin/sh -c /bin/chown -f sssd:sssd /var/lib/sss/db/*.ldb (code=exited, status=0/SUCCESS)
    Process: 1942 ExecStartPre=/bin/chown -f -R sssd:sssd /var/lib/sss/gpo_cache (code=exited, status=0/SUCCESS)
    Process: 1944 ExecStartPre=/bin/sh -c /bin/chown -f sssd:sssd /var/log/sssd/*.log (code=exited, status=1/FAILURE)
    Process: 1946 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=1/FAILURE)
   Main PID: 1946 (code=exited, status=1/FAILURE)
   Mem peak: 11.7M
        CPU: 203ms

Dec 30 13:26:47 bazzite sssd_be[1949]: Starting up
Dec 30 13:26:47 bazzite sssd[1950]: exec_child_ex command: [/usr/libexec/sssd/ldap_child]  /usr/libexec/sssd/ldap_child --dumpable=1 --debug-microseconds=0 --debug-timestamps=1 --debug-f>
Dec 30 13:26:49 bazzite sssd_be[1951]: Starting up
Dec 30 13:26:49 bazzite sssd[1952]: exec_child_ex command: [/usr/libexec/sssd/ldap_child]  /usr/libexec/sssd/ldap_child --dumpable=1 --debug-microseconds=0 --debug-timestamps=1 --debug-f>
Dec 30 13:26:53 bazzite sssd_be[1953]: Starting up
Dec 30 13:26:53 bazzite sssd[1954]: exec_child_ex command: [/usr/libexec/sssd/ldap_child]  /usr/libexec/sssd/ldap_child --dumpable=1 --debug-microseconds=0 --debug-timestamps=1 --debug-f>
Dec 30 13:26:53 bazzite sssd[1946]: Exiting the SSSD. Could not restart critical service [<my cool domain name>].
Dec 30 13:26:53 bazzite systemd[1]: sssd.service: Main process exited, code=exited, status=1/FAILURE
Dec 30 13:26:53 bazzite systemd[1]: sssd.service: Failed with result 'exit-code'.
Dec 30 13:26:53 bazzite systemd[1]: Failed to start sssd.service - System Security Services Daemon.

The permissions on /etc/sssd and /etc/sssd/sssd.conf are incorrect, though this can be manually fixed. And the capabilities on the file /usr/libexec/sssd/selinux_child are no longer correct.

BEFORE UPGRADE:

root@bazzite:~# rpm-ostree status
State: idle
Deployments:
● ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:stable-41.20241216
                   Digest: sha256:777e4de18ea2dd200e214723a0832cefe01cf10cb9830b05665b95f88ab8760d
                  Version: 41.20241216 (2024-12-16T05:02:15Z)
          LayeredPackages: adcli htop krb5-workstation libguestfs-tools libvirt libvirt-daemon-config-network libvirt-daemon-kvm oddjob oddjob-mkhomedir
                           plasma-workspace-x11 pugixml qemu-kvm sssd terminator virt-install virt-manager virt-top virt-viewer

  ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:testing
                   Digest: sha256:302906934a6b1304ac1eb2e49dc83a8360785efa5c9e45bb7a97b1b0b93db52a
                  Version: testing-41.20241112.2 (2024-11-13T02:10:50Z)
          LayeredPackages: adcli htop krb5-workstation libguestfs-tools libvirt libvirt-daemon-config-network libvirt-daemon-kvm oddjob oddjob-mkhomedir
                           plasma-workspace-x11 pugixml qemu-kvm sssd terminator virt-install virt-manager virt-top virt-viewer
root@bazzite:~# ll /etc/ | grep sssd
drwxr-x---. 1 sssd sssd       36 Dec 30 12:57 sssd
root@bazzite:~# ll /etc/sssd/
total 4
drwxr-x---. 1 sssd sssd   0 Dec 30 12:54 conf.d
drwxr-x---. 1 sssd sssd   0 Dec 30 12:54 pki
-rw-------. 1 sssd sssd 500 Oct 30 13:50 sssd.conf
root@bazzite:~# getcap /usr/libexec/sssd/*
/usr/libexec/sssd/krb5_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/ldap_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/selinux_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

AFTER UPGRADE:

root@bazzite:~# rpm-ostree status
State: idle
Deployments:
● ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:stable-41.20241230.1
                   Digest: sha256:808e6104d259f0ec7a56b7179792c14299be05084438263c82f5575d15b1aafb
                  Version: 41.20241230.1 (2024-12-30T06:45:20Z)
          LayeredPackages: adcli htop krb5-workstation libguestfs-tools libvirt-daemon-kvm oddjob oddjob-mkhomedir plasma-workspace-x11 pugixml qemu-kvm sssd terminator virt-install
                           virt-manager virt-top virt-viewer

  ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:stable-41.20241216
                   Digest: sha256:777e4de18ea2dd200e214723a0832cefe01cf10cb9830b05665b95f88ab8760d
                  Version: 41.20241216 (2024-12-16T05:02:15Z)
          LayeredPackages: adcli htop krb5-workstation libguestfs-tools libvirt libvirt-daemon-config-network libvirt-daemon-kvm oddjob oddjob-mkhomedir plasma-workspace-x11 pugixml
                           qemu-kvm sssd terminator virt-install virt-manager virt-top virt-viewer
root@bazzite:~# ll /etc/ | grep sssd
drwxr-x---. 1 root sssd       36 Dec 30 13:23 sssd
root@bazzite:~# ll /etc/sssd/
total 4
drwxr-x---. 1 root sssd   0 Dec 30 13:22 conf.d
drwxr-x---. 1 root sssd   0 Dec 30 13:22 pki
-rw-r-----. 1 root sssd 500 Oct 30 13:50 sssd.conf
root@bazzite:~# getcap /usr/libexec/sssd/*
/usr/libexec/sssd/krb5_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/ldap_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/selinux_child cap_setgid,cap_setuid=p
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

I think the root of the issue is likely just the capabilities on /usr/libexec/sssd/selinux_child since the service chown's the folders and files in /etc/sssd at start-up.

What did you expect to happen?

The SSSD service should start and run after updating to the latest build of bazzite, 41.20241230.1.

Output of rpm-ostree status

root@bazzite:~# rpm-ostree status
State: idle
Deployments:
● ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:stable-41.20241230.1
                   Digest: sha256:808e6104d259f0ec7a56b7179792c14299be05084438263c82f5575d15b1aafb
                  Version: 41.20241230.1 (2024-12-30T06:45:20Z)
          LayeredPackages: adcli htop krb5-workstation libguestfs-tools libvirt-daemon-kvm oddjob oddjob-mkhomedir plasma-workspace-x11 pugixml qemu-kvm sssd terminator virt-install
                           virt-manager virt-top virt-viewer

  ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:stable-41.20241216
                   Digest: sha256:777e4de18ea2dd200e214723a0832cefe01cf10cb9830b05665b95f88ab8760d
                  Version: 41.20241216 (2024-12-16T05:02:15Z)
          LayeredPackages: adcli htop krb5-workstation libguestfs-tools libvirt libvirt-daemon-config-network libvirt-daemon-kvm oddjob oddjob-mkhomedir plasma-workspace-x11 pugixml
                           qemu-kvm sssd terminator virt-install virt-manager virt-top virt-viewer

Hardware

root@bazzite:~# cat /sys/devices/virtual/dmi/id/product_name
Standard PC (Q35 + ICH9, 2009)

I've recreating the issue in a VM.

Extra information or context

No response
@dosubot dosubot bot added the bug Something isn't working label Dec 30, 2024
@rayrayrayraydog
Copy link
Author

Closing as another user created an almost identical ticket with better info

@rayrayrayraydog
Copy link
Author

See #2030 instead

@rayrayrayraydog rayrayrayraydog mentioned this issue Dec 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rayrayrayraydog