ansible-freeipa
ansible-freeipa copied to clipboard
freeipa
[ipaclient] Misconfiguration found for the * responder | Failed to listen on SSSD * Service responder socket | status=17
Hello,
we have the problem that after installing the FreeIPA client vie the Ansible Role we see the following errors on the server to all sssd-*.socket. The SSSD-Service is running as aspected.
Although I see these messages, everything works as expected. I can log in to the system normally and become root.
Is there something I missed in the Configuration options? Or is that a general Problem in the Ansible-Role ipaclient.
Operating System: Ubuntu 20.04.4 LT ipaclient.yaml
ipaclient_domain: REDACTED.tld
ipaclient_realm: REDACTED.tld
ipaclient_ntp_pool: REDACTED.tld
ipaclient_servers: ipa.REDACTED.tld
ipaclient_mkhomedir: yes
ipaclient_allow_repair: no
ipaadmin_principal: admin
ipaadmin_password: "REDACTED"
● sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-06-17 08:09:35 UTC; 9min ago
Main PID: 713 (sssd)
Tasks: 7 (limit: 19105)
Memory: 54.9M
CGroup: /system.slice/sssd.service
├─ 713 /usr/sbin/sssd -i --logger=files
├─ 936 /usr/libexec/sssd/sssd_be --domain shared.nx2.dev --uid 0 --gid 0 --logger=files
├─1091 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
├─1092 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
├─1093 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
├─1094 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
└─1095 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
Jun 17 08:09:35 REDACTED sssd_nss[1091]: Starting up
Jun 17 08:09:35 REDACTED sssd_pam[1092]: Starting up
Jun 17 08:09:35 REDACTED sssd_pac[1095]: Starting up
Jun 17 08:09:35 REDACTED sssd_ssh[1093]: Starting up
Jun 17 08:09:35 REDACTED sssd_sudo[1094]: Starting up
Jun 17 08:09:35 REDACTED systemd[1]: Started System Security Services Daemon.
Jun 17 08:09:35 REDACTED sssd_be[936]: GSSAPI client step 1
Jun 17 08:09:35 REDACTED sssd_be[936]: GSSAPI client step 1
Jun 17 08:09:35 REDACTED sssd_be[936]: GSSAPI client step 1
Jun 17 08:09:35 REDACTED sssd_be[936]: GSSAPI client step 2
● sssd-ssh.socket - SSSD SSH Service responder socket
Loaded: loaded (/lib/systemd/system/sssd-ssh.socket; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2022-06-17 08:09:35 UTC; 5min ago
Triggers: ● sssd-ssh.service
Docs: man:sssd.conf(5)
Listen: /var/lib/sss/pipes/ssh (Stream)
Process: 1300 ExecStartPre=/usr/libexec/sssd/sssd_check_socket_activated_responders -r ssh (code=exited, status=17)
Jun 17 08:09:35 REDACTED systemd[1]: Starting SSSD SSH Service responder socket.
Jun 17 08:09:35 REDACTED sssd_check_socket_activated_responders[1300]: (Fri Jun 17 08:09:35:342734 2022) [sssd] [main] (0x0010): Misconfiguration found for the ssh responder.
Jun 17 08:09:35 REDACTED sssd_check_socket_activated_responders[1300]: The ssh responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf.
Jun 17 08:09:35 REDACTED sssd_check_socket_activated_responders[1300]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the ssh's socket by calling:
Jun 17 08:09:35 REDACTED sssd_check_socket_activated_responders[1300]: "systemctl disable sssd-ssh.socket"
Jun 17 08:09:35 REDACTED systemd[1]: sssd-ssh.socket: Control process exited, code=exited, status=17/n/a
Jun 17 08:09:35 REDACTED systemd[1]: sssd-ssh.socket: Failed with result 'exit-code'.
Jun 17 08:09:35 REDACTED systemd[1]: Failed to listen on SSSD SSH Service responder socket.
● sssd-sudo.socket - SSSD Sudo Service responder socket
Loaded: loaded (/lib/systemd/system/sssd-sudo.socket; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2022-06-17 08:09:35 UTC; 7min ago
Triggers: ● sssd-sudo.service
Docs: man:sssd.conf(5)
Listen: /var/lib/sss/pipes/sudo (Stream)
Process: 1306 ExecStartPre=/usr/libexec/sssd/sssd_check_socket_activated_responders -r sudo (code=exited, status=17)
Jun 17 08:09:35 REDACTED systemd[1]: Starting SSSD Sudo Service responder socket.
Jun 17 08:09:35 REDACTED sssd_check_socket_activated_responders[1306]: (Fri Jun 17 08:09:35:351237 2022) [sssd] [main] (0x0010): Misconfiguration found for the sudo responder.
Jun 17 08:09:35 REDACTED sssd_check_socket_activated_responders[1306]: The sudo responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf.
Jun 17 08:09:35 REDACTED sssd_check_socket_activated_responders[1306]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the sudo's socket by calling:
Jun 17 08:09:35 REDACTED sssd_check_socket_activated_responders[1306]: "systemctl disable sssd-sudo.socket"
Jun 17 08:09:35 REDACTED systemd[1]: sssd-sudo.socket: Control process exited, code=exited, status=17/n/a
Jun 17 08:09:35 REDACTED systemd[1]: sssd-sudo.socket: Failed with result 'exit-code'.
Jun 17 08:09:35 REDACTED systemd[1]: Failed to listen on SSSD Sudo Service responder socket.
Thanks for the help. :)
There is a workaround, if you comment the line with the services, then they all start too.
[sssd]
#services = nss, pam, ssh, sudo
https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1880157
Both FreeIPA client code and ansible-freeipa client code do explicitly configure services in sssd.conf when asked to configure SSSD. This behavior is not conditionalized per distribution. Debian/Ubuntu chose to default to socket activation instead of what SSSD upstream is using (and what Fedora and others default to).
To solve this problem, the client code in FreeIPA needs to be turned to use per-platform tasks and then Debian platform needs to drop services in the configuration to be able to work properly. I think this is something that Debian/Ubuntu maintainers need to take care of, if this platform intentionally differentiates their setup.
