mitogen
mitogen copied to clipboard
Published
20 hours ago •
mitogen-hq
mitogen-hq
User/group lookup fails after nss and sssd (ldap) is configured
Ansible fails to lookup groups when using the file module in the same run, after nss and sssd with id_provider = ldap have been configured, when the group to lookup resides in the newly configured external provider (via sss from ldap).
Any subsequent run succeeds.
Versions
- Which version of Ansible are you running?
ansible [core 2.12.1], python version = 3.8.10
- Is your version of Ansible patched in any way?
No
- Are you running with any custom modules, or
module_utilsloaded?
No
- Have you tried the latest master version from Git?
Yes, bd3cfb42 (HEAD -> stable, tag: v0.3.2, origin/stable)
- Do you have some idea of what the underlying problem may be? https://mitogen.networkgenomics.com/ansible_detailed.html#common-problems has instructions to help figure out the likely cause and how to gather relevant logs.
Looks like https://mitogen.networkgenomics.com/ansible_detailed.html#process-environment-emulation as it is related to a change in nsswitch.conf
- Mention your host and target OS and versions
Host: Ubuntu 20.04.3 LTS Target: Debian GNU/Linux 10 (buster), relevant packages:
ii libnss3:amd64 2:3.42.1-1+deb10u5 amd64 Network Security Service libraries
ii sssd 1.16.3-3.2 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.16.3-3.2 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.16.3-3.2 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.16.3-3.2 amd64 System Security Services Daemon -- common files
ii sssd-dbus 1.16.3-3.2 amd64 System Security Services Daemon -- D-Bus responder
ii sssd-ipa 1.16.3-3.2 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.16.3-3.2 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.16.3-3.2 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.16.3-3.2 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.16.3-3.2 amd64 System Security Services Daemon -- proxy back end
ii sssd-tools 1.16.3-3.2 amd64 System Security Services Daemon -- tools
ii libnss-sss:amd64 1.16.3-3.2 amd64 Nss library for the System Security Services Daemon
ii libsss-certmap0 1.16.3-3.2 amd64 Certificate mapping library for SSSD
ii libsss-idmap0 1.16.3-3.2 amd64 ID mapping library for SSSD
ii libsss-nss-idmap0 1.16.3-3.2 amd64 SID based lookups library for SSSD
ii libsss-simpleifp0 1.16.3-3.2 amd64 SSSD D-Bus responder helper library
ii python-sss 1.16.3-3.2 amd64 Python module for the System Security Services Daemon
ii python3-sss 1.16.3-3.2 amd64 Python3 module for the System Security Services Daemon
- Mention your host and target Python versions
Host: Python 3.8.10
Target: Python 3.7.3
ansible.cfg: interpreter_python = /usr/bin/python3
- If reporting any kind of problem with Ansible, please include the Ansible version along with output of "ansible-config dump --only-changed".
ANSIBLE_NOCOWS(/home/myuser/git/ansible-isg-phys/ansible.cfg) = True
DEFAULT_FORKS(/home/myuser/git/ansible-isg-phys/ansible.cfg) = 30
DEFAULT_GATHERING(/home/myuser/git/ansible-isg-phys/ansible.cfg) = smart
DEFAULT_NO_TARGET_SYSLOG(/home/myuser/git/ansible-isg-phys/ansible.cfg) = True
DEFAULT_REMOTE_USER(/home/myuser/git/ansible-isg-phys/ansible.cfg) = root
DEFAULT_ROLES_PATH(/home/myuser/git/ansible-isg-phys/ansible.cfg) = ['/home/myuser/git/ansible-isg-phys/roles-shared', '/home/myuser/git/ansible-isg-phys/roles-servers']
DEFAULT_STDOUT_CALLBACK(/home/myuser/git/ansible-isg-phys/ansible.cfg) = yaml
DEFAULT_STRATEGY(env: ANSIBLE_STRATEGY) = mitogen_linear
DEFAULT_STRATEGY_PLUGIN_PATH(env: ANSIBLE_STRATEGY_PLUGINS) = ['/home/myuser/.ansible/mitogen/ansible_mitogen/plugins/strategy']
DEFAULT_TIMEOUT(/home/myuser/git/ansible-isg-phys/ansible.cfg) = 5
INTERPRETER_PYTHON(/home/myuser/git/ansible-isg-phys/ansible.cfg) = /usr/bin/python3
MAX_FILE_SIZE_FOR_DIFF(/home/myuser/git/ansible-isg-phys/ansible.cfg) = 300000
RETRY_FILES_ENABLED(/home/myuser/git/ansible-isg-phys/ansible.cfg) = False
TRANSFORM_INVALID_GROUP_CHARS(/home/myuser/git/ansible-isg-phys/ansible.cfg) = ignore
Detailed description
In the same Ansible run, after configuration of sssd + nss and restarting sssd.service:
sssd config /etc/sssd/sssd.conf:
[sssd]
# debug_level = 8
domains = mydomain
config_file_version = 2
services = ifp,nss
[nss]
# debug_level = 8
filter_groups = root
filter_users = root
[domain/mydomain]
# debug_level = 8
id_provider = ldap
auth_provider = ldap
access_provider = ldap
autofs_provider = ldap
sudo_provider = none
ldap_uri = ldap://myldap
ldap_id_use_start_tls = true
ldap_search_base = mybase
ldap_user_search_base = ou=people,mybase
ldap_group_search_base = ou=groups,mybase
ldap_netgroup_search_base = ou=netgroup,mybase
ldap_referrals = false
nss config /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files sss
group: files sss
shadow: files sss
gshadow: files
sudoers: files
hosts: files dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: sss
running the following tasks:
# ensure sssd is restarted
- name: flush handlers
meta: flush_handlers
- name: test group lookup
file:
path: "/tmp/ansible_group_test_{{ 1000000|random|hash('sha1') }}"
state: directory
owner: root
group: mygroup
mode: '0755'
ignore_errors: True
- name: getent group
command: getent group mygroup
ignore_errors: True
register: sssd_getent_group_mygroup
- name: debug sssd_getent_group_mygroup
debug:
msg: "{{ sssd_getent_group_mygroup }}"
- name: test group lookup
file:
path: "/tmp/ansible_group_test_{{ 1000000|random|hash('sha1') }}"
state: directory
owner: root
group: mygroup
mode: '0755'
ignore_errors: True
- name: id group
command: id mygroup
ignore_errors: True
register: sssd_id_mygroup
- name: debug sssd_id_mygroup
debug:
msg: "{{ sssd_id_mygroup }}"
- name: test group lookup
file:
path: "/tmp/ansible_group_test_{{ 1000000|random|hash('sha1') }}"
state: directory
owner: root
group: mygroup
mode: '0755'
ignore_errors: True
will result in:
RUNNING HANDLER [handlers_common : restart sssd] ***********************************************************************
changed: [phd-test-apache]
TASK [sssd : test group lookup] ****************************************************************************************
fatal: [phd-test-apache]: FAILED! => changed=false
gid: 0
group: root
mode: '0755'
msg: 'chgrp failed: failed to look up group mygroup'
owner: root
path: /tmp/ansible_group_test_ba1a10f18221ac93cc28b8ba35deffbee81481ba
size: 4096
state: directory
uid: 0
...ignoring
TASK [sssd : getent group] *********************************************************************************************
changed: [phd-test-apache]
TASK [sssd : debug sssd_getent_group_mygroup] ******************************************************************************
ok: [phd-test-apache] =>
msg:
changed: true
cmd:
- getent
- group
- mygroup
delta: '0:00:00.064221'
end: '2022-01-28 13:31:08.763576'
failed: false
msg: ''
rc: 0
start: '2022-01-28 13:31:08.699355'
stderr: ''
stderr_lines: []
stdout: mygroup:*:2320:user1,user2,user3
stdout_lines:
- mygroup:*:2320:user1,user2,user3
TASK [sssd : test group lookup] ****************************************************************************************
fatal: [phd-test-apache]: FAILED! => changed=false
gid: 0
group: root
mode: '0755'
msg: 'chgrp failed: failed to look up group mygroup'
owner: root
path: /tmp/ansible_group_test_ce8594e37dc49268b87ad6f2d983a16e0cc0d21e
size: 4096
state: directory
uid: 0
...ignoring
TASK [sssd : id group] *************************************************************************************************
changed: [phd-test-apache]
TASK [sssd : debug sssd_id_mygroup] ****************************************************************************************
ok: [phd-test-apache] =>
msg:
changed: true
cmd:
- id
- mygroup
delta: '0:00:00.055586'
end: '2022-01-28 13:31:09.005013'
failed: false
msg: ''
rc: 0
start: '2022-01-28 13:31:08.949427'
stderr: ''
stderr_lines: []
stdout: uid=2320(mygroup) gid=2320(mygroup) groups=2320(mygroup)
stdout_lines:
- uid=2320(mygroup) gid=2320(mygroup) groups=2320(mygroup)
TASK [sssd : test group lookup] ****************************************************************************************
fatal: [phd-test-apache]: FAILED! => changed=false
gid: 0
group: root
mode: '0755'
msg: 'chgrp failed: failed to look up group mygroup'
owner: root
path: /tmp/ansible_group_test_00f83e3a28a672a4e65a2a794cc5ebfa365b0e84
size: 4096
state: directory
uid: 0
...ignoring
The group/user mygroup is available on the system via nsswitch (sss) > sssd > ldap when using the command module with id mygroup and getent group mygroup, but Ansible is unable to lookup the group/user with the file module.
Any subsequent run or disabling Mitogen succeeds.
