Verified working: Setup:
# lxc launch ubuntu-daily:xenial tester && lxc exec tester bash Failure Case: # apt update && apt dist-upgrade -y && apt install -y sssd # echo "[nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = europe.example.com,asia.example.com [domain/europe.example.com] #With this as false, a simple "getent passwd" for testing won't work. You must do getent passwd u...@domain.com enumerate = false cache_credentials = true id_provider = ldap access_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldaps://dc1.europe.example.com,ldaps://dc2.europe.example.com ldap_search_base = dc=europe,dc=example,dc=com ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt #This parameter requires that the DC present a completely validated certificate chain. If you're testing or don't care, use 'allow' or 'never'. ldap_tls_reqcert = demand krb5_realm = EUROPE.EXAMPLE.COM dns_discovery_domain = EUROPE.EXAMPLE.COM ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_search_base = dc=europe,dc=example,dc=com ldap_group_search_base = dc=europe,dc=example,dc=com ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_fullname = displayName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = sAMAccountName #Bind credentials ldap_default_bind_dn = cn=europe-ldap-reader,cn=Users,dc=europe,dc=example,dc=com ldap_default_authtok = secret [domain/asia.example.com] #With this as false, a simple "getent passwd" for testing won't work. You must do getent passwd u...@domain.com enumerate = false cache_credentials = true id_provider = ldap access_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldaps://dc1.asia.example.com,ldaps://dc2.asia.example.com ldap_search_base = dc=asia,dc=example,dc=com ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt #This parameter requires that the DC present a completely validated certificate chain. If you're testing or don't care, use 'allow' or 'never'. ldap_tls_reqcert = demand krb5_realm = ASIA.EXAMPLE.COM dns_discovery_domain = ASIA.EXAMPLE.COM ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_search_base = dc=asia,dc=example,dc=com ldap_group_search_base = dc=asia,dc=example,dc=com ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_fullname = displayName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = sAMAccountName #Bind credentials ldap_default_bind_dn = cn=asia-ldap-reader,cn=Users,dc=asia,dc=example,dc=com ldap_default_authtok = secret" >/etc/sssd/sssd.conf # chmod 600 /etc/sssd/sssd.conf # service sssd start # pkill -KILL -F /var/run/sssd.pid # service sssd start Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. # journalctl -xe ... Oct 30 10:25:46 xtest sssd[7110]: SSSD is already running Upgrade to Proposed and Retry: # echo "deb http://archive.ubuntu.com/ubuntu xenial-proposed main restricted universe multiverse" >>/etc/apt/sources.list # apt update && apt dist-upgrade -y # service sssd start # systemctl status sssd ● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2018-11-16 10:32:23 UTC; 21s ago Main PID: 5584 (sssd) Tasks: 5 Memory: 35.4M CPU: 88ms CGroup: /system.slice/sssd.service ├─5584 /usr/sbin/sssd -i -f ├─5585 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain europe.example.com --uid 0 --gid 0 --debug-to-files ├─5586 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain asia.example.com --uid 0 --gid 0 --debug-to-files ├─5587 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files └─5588 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files Nov 16 10:32:23 tester systemd[1]: Starting System Security Services Daemon... Nov 16 10:32:23 tester sssd[5584]: Starting up Nov 16 10:32:23 tester sssd[be[5586]: Starting up Nov 16 10:32:23 tester sssd[be[5585]: Starting up Nov 16 10:32:23 tester sssd[5587]: Starting up Nov 16 10:32:23 tester sssd[5588]: Starting up Nov 16 10:32:23 tester systemd[1]: Started System Security Services Daemon. ** Tags removed: verification-needed verification-needed-xenial ** Tags added: verification-done verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1777860 Title: Sssd doesn't clean up PIDfile after crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1777860/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
