realmd generates wrong 'services' section in sssd.conf during joining to AD

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Based on https://ubuntu.com/server/docs/service-sssd it shouldn't be doing that, so I'll this to our backlog. Andreas, you might know what's going on straight away. Could you please take a look?

Yeah, the services don't need to be specified anymore since they are all socket activated. I didn't think that was a fatal error, though. Even with those errors in the logs, sssd was still working.

I can check this out in more detail when I'm back from holidays.

This is not a fatal error, as the non-socket-activated instances of the service startup. It's incorrect though, as the sssd package defaults to socket-activated and realmd should be in sync with that.

Example right after joining the domain:
    579 ? Ss 0:00 /usr/sbin/sssd -i --logger=files
    580 ? S 0:00 \_ /usr/libexec/sssd/sssd_be --domain ad1.example.com --uid 0 --gid 0 --logger=files
    581 ? S 0:00 \_ /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
    582 ? S 0:00 \_ /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
    618 ? Ss 0:00 /usr/libexec/sssd/sssd_sudo --socket-activated

We see that nss and pam started in their non-socket-activated modes, because they are specified in sssd.conf, whereas sudo, which is NOT specified in sssd.conf, started as socket-activated.

I'm downgrading the severity, but it's still worth fixing.

This bug was fixed in the package realmd - 0.16.3-3ubuntu1

---------------
realmd (0.16.3-3ubuntu1) groovy; urgency=medium

  * d/p/0001-LDAP-don-t-close-LDAP-socket-twice.patch: don't close LDAP
    socket twice.
  * d/p/0001-Fix-man-page-reference-in-systemd-service-file.patch: the
    manpage is realm(8), not realmd(8)
  * d/p/0001-Use-current-idmap-options-for-smb.conf.patch: use the
    idmap options in smb.conf for modern versions of samba (LP: #1894153)
  * d/p/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch: find
    NetBIOS name in keytab while leaving the domain (LP: #1894340)
  * d/p/0001-Fix-issues-found-by-Coverity.patch: fix issues found by
    Coverity
  * d/p/0002-Change-qualified-names-default-for-IPA.patch: change
    qualified names default for IPA
  * d/p/0003-discover-try-to-get-domain-name-from-hostname.patch: if
    there is no domain name returned by DHCP check if the hostname
    contains a domain part and use this to discover a realm.
  * d/p/0001-IPA-do-not-call-sssd-enable-logins.patch: IPA: do not call
    sssd-enable-logins
  * d/p/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch:
    install the latest version of a package when resolving packages with
    PackageKit
  * d/p/0001-doc-make-sure-cross-reference-ids-are-predictable.patch: make
    sure cross-reference ids are predictable
  * d/p/0002-tools-remove-duplicated-va_start.patch: remove duplicated
    va_start()
  * d/p/0003-service-remove-dead-code.patch: remove unused code
  * d/p/0004-service-check-return-value-of-fcntl.patch: check return
    value of fcntl()
  * d/p/0005-service-avoid-dereference-of-a-null-pointer.patch: avoid
    dereference of a null pointer
  * d/p/0006-service-avoid-dereferencing-a-NULL-pointer.patch: avoid
    dereferencing a NULL pointer
  * d/p/0001-Add-missing-xsl-file-to-Makefile.am.patch: add missing xsl
    file to Makefile.am
  * d/p/0002-configure-do-not-inherit-DISTRO-from-the-environment.patch:
    do not inherit DISTRO from the environment
  * d/p/0003-doc-extend-user-principal-section.patch: doc: extend
    user-principal section
  * d/p/0004-doc-fix-discover-name-only.patch: doc: fix discover
    name-only parameter
  * d/p/0005-doc-add-see-also-to-man-pages.patch: doc: add see also to
    man pages
  * d/p/0006-doc-extend-description-of-config-handling.patch: doc: extend
    description of config handling
  * d/p/0007-service-use-kerberos-method-secrets-and-keytab.patch: when
    using Samba with Winbind, set "kerberos method" to "secrets and keytab"
  * d/p/install-libnss-winbind.patch: install libnss-winbind when needed
    (LP: #1894150)
  * d/p/dont-add-services-line.patch: in Ubuntu and Debian, the sssd_*
    services are socket activated and don't need a "services" line in
    sssd.conf (LP: #1880157)
  * d/p/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch:
    when using samba to join a domain, and the client is from a different
    domain, also set "additional dns hostnames"
  * d/p/0002-Use-startTLS-with-FreeIPA.patch: attempt StartTLS first
    when talking to FreeIPA
  * d/p/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch:
    when joining using samba, ...

This bug is labelled as Fix Released, but the same thing happens with 22.04.1 with the following packages:

$ apt-cache policy realmd sssd
realmd:
  Installed: 0.17.0-1ubuntu2
  Candidate: 0.17.0-1ubuntu2
  Version table:
 *** 0.17.0-1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
        100 /var/lib/dpkg/status
sssd:
  Installed: 2.6.3-1ubuntu3.1
  Candidate: 2.6.3-1ubuntu3.1
  Version table:
 *** 2.6.3-1ubuntu3.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.6.3-1ubuntu3 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

I get the same errors in journalctl, and by commenting the same line everything works nicely.

Confirmed, just tried on a fresh jammy 22.04 and the services line is back to sssd.conf :/

ubuntu@j-sssd:~$ sudo realm join -v internal.example.fake
 * Resolving: _ldap._tcp.internal.example.fake
 * Performing LDAP DSE lookup on: 10.0.16.5
 * Successfully discovered: internal.example.fake
Password for Administrator:
 * Unconditionally checking packages
 * Resolving required packages
 * Installing necessary packages: sssd-tools
 * LANG=C /usr/sbin/adcli join --verbose --domain internal.example.fake --domain-realm INTERNAL.EXAMPLE.FAKE --domain-controller 10.0.16.5 --login-type user --login-user Administrator --stdin-password
 * Using domain name: internal.example.fake
 * Calculated computer account name from fqdn: J-SSSD
 * Using domain realm: internal.example.fake
 * Sending NetLogon ping to domain controller: 10.0.16.5
 * Received NetLogon info from: WIN-KRIET1E5ELO.internal.example.fake
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-8AgvFI/krb5.d/adcli-krb5-conf-NZrUEM
 * Authenticated as user: <email address hidden>
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: INTEXAMPLE
 * Looked up domain SID: S-1-5-21-3924544305-522449517-3196740370
 * Using fully qualified name: j-sssd
 * Using domain name: internal.example.fake
 * Using computer account name: J-SSSD
 * Using domain realm: internal.example.fake
 * Calculated computer account name from fqdn: J-SSSD
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * A computer account for J-SSSD$ does not exist
 * Found well known computer container at: CN=Computers,DC=internal,DC=example,DC=fake
 * Calculated computer account: CN=J-SSSD,CN=Computers,DC=internal,DC=example,DC=fake
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=J-SSSD,CN=Computers,DC=internal,DC=example,DC=fake
 * Sending NetLogon ping to domain controller: 10.0.16.5
 * Received NetLogon info from: WIN-KRIET1E5ELO.internal.example.fake
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=J-SSSD,CN=Computers,DC=internal,DC=example,DC=fake
 * Checking RestrictedKrbHost/J-SSSD
 * Added RestrictedKrbHost/J-SSSD
 * Checking host/J-SSSD
 * Added host/J-SSSD
 * Discovered which keytab salt to use
 * Added the entries to the keytab: J-SSSD$@INTERNAL.EXAMPLE.FAKE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab
 * /usr/sbin/update-rc.d sssd enable
 * /usr/sbin/service sssd restart
 * Successfully enrolled machine in realm

ubuntu@j-sssd:~$ sudo -i
root@j-sssd:~# cat /etc/sssd/sssd.conf

[sssd]
domains = internal.example.fake
config_file_version = 2
services = nss, pam

(...)

This bug affects the Amazon WorkSpaces Ubuntu Pro images too.

Kinetic is EOL.

Is there a workaround for this bug for jammy ? Should we just comment out the "services" line in /etc/sssd/sssd.conf ?

Hi Thibault,

Yes, removing the "services" line from sssd.conf should fix this problem. Because the workaround is straighforward the severity of this bug is Low.

Unless something changed since comment #3, this is not a fatal error, but worth fixing, hence the severity is "low".