Ubuntu
sssd package

  1. Bionic (18.04)
  2. Bug #1723350
  3. Activity log

Activity log for bug #1723350

Date Who What changed Old value New value Message
2017-10-13 08:11:20 Marian Rainer-Harbach bug added bug
2017-10-13 08:11:20 Marian Rainer-Harbach attachment added sssd.conf https://bugs.launchpad.net/bugs/1723350/+attachment/4969606/+files/sssd.conf
2017-10-13 13:01:57 renbag attachment added sssd.conf https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1723350/+attachment/4969945/+files/sssd.conf
2017-10-13 13:02:31 renbag bug added subscriber Renzo Bagnati
2017-10-13 13:08:04 Launchpad Janitor sssd (Ubuntu): status New Confirmed
2017-10-13 21:45:39 Andreas Hasenack sssd (Ubuntu): status Confirmed Triaged
2017-10-13 21:45:46 Andreas Hasenack sssd (Ubuntu): importance Undecided Medium
2017-10-13 21:46:54 Andreas Hasenack bug added subscriber Ubuntu Server Team
2017-10-13 21:46:59 Andreas Hasenack bug added subscriber Andreas Hasenack
2017-12-22 16:18:26 cbvjohn bug added subscriber cbvjohn
2018-03-20 23:07:04 Simon Elmir summary sssd offline on boot, stays offline forever (artful) sssd offline on boot, stays offline forever (artful, bionic)
2018-03-20 23:08:52 Simon Elmir bug added subscriber Simon Elmir
2018-05-07 20:53:31 Andreas Hasenack sssd (Ubuntu): status Triaged Incomplete
2018-05-08 13:41:08 Andreas Hasenack nominated for series Ubuntu Artful
2018-05-08 13:41:08 Andreas Hasenack bug task added sssd (Ubuntu Artful)
2018-05-08 13:41:37 Andreas Hasenack sssd (Ubuntu): status Incomplete Fix Released
2018-05-08 13:41:57 Andreas Hasenack summary sssd offline on boot, stays offline forever (artful, bionic) sssd offline on boot, stays offline forever
2018-05-08 13:42:06 Andreas Hasenack sssd (Ubuntu Artful): status New Triaged
2018-05-08 13:42:11 Andreas Hasenack sssd (Ubuntu Artful): importance Undecided Medium
2018-05-09 10:53:05 renbag attachment added systemd-analyze_logs__artful.tgz https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1723350/+attachment/5136654/+files/systemd-analyze_logs__artful.tgz
2018-05-09 10:54:22 renbag attachment added var_log_sssd__artful.tgz https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1723350/+attachment/5136655/+files/var_log_sssd__artful.tgz
2018-06-10 01:09:38 OliFre bug added subscriber OliFre
2018-06-11 10:09:21 OliFre bug added subscriber Peter Wienemann
2018-07-11 04:27:56 Andrew Conway bug added subscriber Andrew Conway
2018-09-10 19:42:48 Mark Foster bug added subscriber Mark Foster
2018-09-10 22:56:19 Andreas Hasenack nominated for series Ubuntu Bionic
2018-09-10 22:56:19 Andreas Hasenack bug task added sssd (Ubuntu Bionic)
2018-09-10 22:56:28 Andreas Hasenack sssd (Ubuntu Artful): status Triaged Won't Fix
2018-09-18 16:55:47 Launchpad Janitor sssd (Ubuntu Bionic): status New Confirmed
2019-09-13 15:19:02 Orion-cora bug added subscriber Orion-cora
2019-10-04 11:50:26 meskaya bug added subscriber meskaya
2019-11-01 17:18:14 Andreas Hasenack sssd (Ubuntu Bionic): importance Undecided High
2019-11-06 17:33:24 Andreas Hasenack tags server-next
2020-05-11 17:38:31 Andreas Hasenack sssd (Ubuntu Bionic): assignee Andreas Hasenack (ahasenack)
2020-05-11 17:38:34 Andreas Hasenack sssd (Ubuntu Bionic): status Confirmed In Progress
2020-05-12 19:32:36 Andreas Hasenack nominated for series Ubuntu Eoan
2020-05-12 19:32:36 Andreas Hasenack bug task added sssd (Ubuntu Eoan)
2020-05-13 19:15:58 Andreas Hasenack sssd (Ubuntu Eoan): assignee Andreas Hasenack (ahasenack)
2020-05-13 19:16:00 Andreas Hasenack sssd (Ubuntu Eoan): status New In Progress
2020-05-13 21:17:56 Andreas Hasenack description SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd ldap-utils dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] * discussion of how regressions are most likely to manifest as a result of this change. * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-13 21:22:38 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd ldap-utils dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] * discussion of how regressions are most likely to manifest as a result of this change. * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd ldap-utils dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 14:58:09 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd ldap-utils dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd ldap-utils dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 17:07:09 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd ldap-utils dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 17:17:54 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep resolv Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 17:19:46 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep resolv Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep resolv Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com For the above steps, the log file being tailed will show this for the startup of sssd: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 And this for when the symlink is fixed: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 17:21:10 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep resolv Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com For the above steps, the log file being tailed will show this for the startup of sssd: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 And this for when the symlink is fixed: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep resolv Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com For the above steps, the log file being tailed will show this for the startup of sssd: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 And this for when the symlink is fixed: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 17:36:51 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep resolv Start sssd # systemctl restart sssd Repeat the sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com For the above steps, the log file being tailed will show this for the startup of sssd: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 And this for when the symlink is fixed: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 17:49:48 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 18:06:27 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP #debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF After unbreaking the symbolic link, in a few seconds (5s at most), sssctl should show the service as being online, if using the fixed packages. [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 18:13:48 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Then follow the other steps of test case (a). Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 18:34:02 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/sssd/+git/sssd/+merge/384137
2020-05-18 18:36:49 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/sssd/+git/sssd/+merge/384138
2020-05-18 18:39:51 Andreas Hasenack sssd (Ubuntu Eoan): importance Undecided High
2020-05-18 18:46:35 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Then follow the other steps of test case (a). Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] TBD [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Then follow the other steps of test case (a). Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] Breaking sssd can mean preventing logins of network remote users on a system, but should still allow local users (and root) to login. Another possible source of regressions, but not related to the code changes in this update, if there are pre-existing incorrect changes to sssd.conf, they might prevent the service from restarting when this update is applied. [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-18 19:51:43 Mark Foster (ExtraHop) removed subscriber Mark Foster (ExtraHop)
2020-05-28 18:59:03 Leif M bug added subscriber Leif M
2020-05-29 14:31:57 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -f /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Then follow the other steps of test case (a). Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] Breaking sssd can mean preventing logins of network remote users on a system, but should still allow local users (and root) to login. Another possible source of regressions, but not related to the code changes in this update, if there are pre-existing incorrect changes to sssd.conf, they might prevent the service from restarting when this update is applied. [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -F /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Then follow the other steps of test case (a). Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] Breaking sssd can mean preventing logins of network remote users on a system, but should still allow local users (and root) to login. Another possible source of regressions, but not related to the code changes in this update, if there are pre-existing incorrect changes to sssd.conf, they might prevent the service from restarting when this update is applied. [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-05-29 15:15:34 Robie Basak sssd (Ubuntu Eoan): status In Progress Fix Committed
2020-05-29 15:15:36 Robie Basak bug added subscriber Ubuntu Stable Release Updates Team
2020-05-29 15:15:37 Robie Basak bug added subscriber SRU Verification
2020-05-29 15:15:42 Robie Basak tags server-next server-next verification-needed verification-needed-eoan
2020-05-29 15:15:58 Robie Basak sssd (Ubuntu Bionic): status In Progress Fix Committed
2020-05-29 15:16:04 Robie Basak tags server-next verification-needed verification-needed-eoan server-next verification-needed verification-needed-bionic verification-needed-eoan
2020-06-02 14:23:12 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -F /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Then follow the other steps of test case (a). Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] Breaking sssd can mean preventing logins of network remote users on a system, but should still allow local users (and root) to login. Another possible source of regressions, but not related to the code changes in this update, if there are pre-existing incorrect changes to sssd.conf, they might prevent the service from restarting when this update is applied. [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip interface=$interface except-interface=lo bind-interface EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -F /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Then follow the other steps of test case (a). Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] Breaking sssd can mean preventing logins of network remote users on a system, but should still allow local users (and root) to login. Another possible source of regressions, but not related to the code changes in this update, if there are pre-existing incorrect changes to sssd.conf, they might prevent the service from restarting when this update is applied. [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-06-02 14:24:17 Andreas Hasenack tags server-next verification-needed verification-needed-bionic verification-needed-eoan server-next verification-done-eoan verification-needed verification-needed-bionic
2020-06-02 14:38:09 Andreas Hasenack description [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip interface=$interface except-interface=lo bind-interface EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -F /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Then follow the other steps of test case (a). Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] Breaking sssd can mean preventing logins of network remote users on a system, but should still allow local users (and root) to login. Another possible source of regressions, but not related to the code changes in this update, if there are pre-existing incorrect changes to sssd.conf, they might prevent the service from restarting when this update is applied. [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target [Impact] sssd can switch to an offline mode of operation when it cannot reach the authentication or id backend. It uses several methods to assess the situation, and one of them is monitoring the /etc/resolv.conf file for changes. In ubuntu that file is a symlink to /run/systemd/resolve/stub-resolv.conf, but the target doesn't exist at all times during boot. It's expected that symlink to be broken for a while during boot. Turns out that the monitoring that sssd was doing on /etc/resolv.conf didn't take into consideration that what could change was the *target* of the symlink. it completely ignored that fact, and didn't notice when the resolv.conf contents actually changed in this scenario, which resulted in sssd staying in the offline mode when it shouldn't. There are two fixes being pulled in for this SRU: a) fix the monitoring of the target of the /etc/resolv.conf symlink b) change the fallback polling code to keep trying, instead of giving up right away [Test Case] It's recommended to test this in a lxd container, or a vm. Preparation steps. When prompted for an openldap/slapd password, chose any password you want. It won't be needed again: $ sudo apt update && sudo apt dist-upgrade $ sudo apt install sssd-ldap sssd-tools sssd-dbus slapd dnsmasq Become root: $ sudo su - Detect your ip: # export interface=$(ip route | grep default | sed -r 's,^default via .* dev ([a-z0-9]+) .*,\1,') # export ip=$(ip addr show dev $interface | grep "inet [0-9]" | awk '{print $2}' | cut -d / -f 1) Confirm the $ip variable is correct for your case: # echo $ip Create /etc/dnsmasq.d/sssd-test.conf using your real ip: # cat > /etc/dnsmasq.d/sssd-test.conf <<EOF host-record=ldap01.example.com,$ip listen-address=$ip interface=$interface except-interface=lo bind-interfaces EOF restart dnsmasq # systemctl restart dnsmasq a) inotify test Create /etc/sssd/sssd.conf: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF # chmod 0600 /etc/sssd/sssd.conf # rm /etc/resolv.conf # ln -s /etc/resolv.conf.target /etc/resolv.conf create good resolv.conf: # echo "nameserver $ip" > /etc/resolv.conf.good Confirm /etc/resolv.conf is a broken symlink: # ll /etc/resolv.conf* lrwxrwxrwx 1 root root 23 May 13 20:48 /etc/resolv.conf -> /etc/resolv.conf.target -rw-r--r-- 1 root root 24 May 13 20:48 /etc/resolv.conf.good Open another terminal/screen and tail the sssd logs with a grep: # tail -F /var/log/sssd/sssd.log | grep -i resolv Start sssd # systemctl restart sssd The tail output from that other terminal should say sssd is monitoring /etc/resolv.conf (that's the broken symlink): (Mon May 18 17:32:34 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Repeat this sssctl call until it shows the offline mode persistently: # sssctl domain-status LDAP Online status: Offline Active servers: LDAP: not connected Discovered LDAP servers: - ldap01.example.com "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target The log should now say: (Mon May 18 17:33:30 2020) [sssd] [process_dir_event] (0x0400): Not interested in resolv.conf.target This shows that sssd didn't pick up that resolv.conf changed, via the target of the symlink. Run sssctl again, and the online status will remain offline. With the fixed packages, the sssd startup log will say: (Mon May 18 17:17:06 2020) [sssd] [_snotify_create] (0x0400): Added a watch for /etc/resolv.conf.target with inotify flags 0x8D88 internal flags 0x1 using function resolv_conf_inotify_cb after delay 1.0 Showing that it's monitoring the symlink target. And after fixing the broken symlink, it will say: (Mon May 18 17:18:06 2020) [sssd] [process_dir_event] (0x0400): received notification for watched file [resolv.conf.target] under /etc Run sssctl again, it should almost immediately switch to online: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com b) polling test Repeat the previous test, but with "try_inotify = false" in sssd.conf, like this: # cat > /etc/sssd/sssd.conf <<EOF [sssd] config_file_version = 2 services = nss, pam, ifp domains = LDAP debug_level = 6 try_inotify = false [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com EOF Then follow the other steps of test case (a). Upon startup, the sssd log will show: (Mon May 18 17:57:04 2020) [sssd] [monitor_config_file_fallback] (0x0080): file [/etc/resolv.conf] is missing. Will not update online status based on watching the file Note how it says it will not watch it for updates. With the fixed package, the log will show this instead: (Mon May 18 18:02:56 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. Notice how it says it will try again, and multiple times if you keep watching it (once every 10s). "Unbreak" the symlink: # cp /etc/resolv.conf.good /etc/resolv.conf.target And the log output will eventually show this: (Mon May 18 18:04:06 2020) [sssd] [monitor_config_file_fallback] (0x0020): file [/etc/resolv.conf] is missing. Will try again later. (Mon May 18 18:04:17 2020) [sssd] [signal_res_init] (0x0040): Reloading Resolv.conf. And sssctl will show the now online status: # sssctl domain-status LDAP Online status: Online Active servers: LDAP: ldap01.example.com Discovered LDAP servers: - ldap01.example.com [Regression Potential] Breaking sssd can mean preventing logins of network remote users on a system, but should still allow local users (and root) to login. Another possible source of regressions, but not related to the code changes in this update, if there are pre-existing incorrect changes to sssd.conf, they might prevent the service from restarting when this update is applied. [Other Info] Not at this time. [Original Description] SSSD 1.15.3-2ubuntu1 on 17.10/artful (previous versions on artful were also affected) is offline on boot and seems to stay offline forever (I waited over 20 minutes). sssd_nss.log: (Fri Oct 13 09:49:50 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] (Fri Oct 13 09:49:51 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] ... SSSD immediately returns to normal operation after restarting it or after sending SIGUSR2. A workaround for the problem is creating the file /etc/systemd/system/sssd.service.d/override.conf with contents [Unit] Requires=network-online.target After=network-online.target
2020-06-02 14:47:09 Andreas Hasenack tags server-next verification-done-eoan verification-needed verification-needed-bionic server-next verification-done-bionic verification-done-eoan verification-needed
2020-06-09 13:01:36 Robie Basak removed subscriber Ubuntu Stable Release Updates Team
2020-06-09 13:01:35 Launchpad Janitor sssd (Ubuntu Eoan): status Fix Committed Fix Released
2020-06-09 13:01:53 Launchpad Janitor sssd (Ubuntu Bionic): status Fix Committed Fix Released