| 2024-04-12 11:27:05 |
Martin Pitt |
description |
Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu:
2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service']
2024-04-12T03:10:57Z DEBUG Process finished, return code=4
(in /var/log/ipaclient-install.log)
While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't.
But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up:
# systemctl status sshd.service
Unit sshd.service could not be found.
So if ssh.service is already running, it never gets restarted by "ipa-client-install".
It would be really good to make that alias work by default -- if nothing else, just create the symlink manually in the postinst?
freeipa-client 4.10.2-2ubuntu3
openssh-server 1:9.6p1-3ubuntu12
Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias:
https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d
We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. |
Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu:
2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service']
2024-04-12T03:10:57Z DEBUG Process finished, return code=4
(in /var/log/ipaclient-install.log)
While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't.
But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up:
# systemctl status sshd.service
Unit sshd.service could not be found.
So if ssh.service is already running, it never gets restarted by "ipa-client-install".
It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst?
freeipa-client 4.10.2-2ubuntu3
openssh-server 1:9.6p1-3ubuntu12
Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias:
https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d
We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. |
|
