Public bug reported:
Hello,
We've unfortunately discovered that if SSSD fails to start on boot, that you
can be stuck in an infinite service restart loop preventing full boot up.
I believe this is due to differences in the service unit file between
the minimalist unit provided by Canonical and the upstream which seems
to be able to defang the problem due to settings for
StartLimitIntervalSec and StartLimitBurst being present which allow the
service to fail with some finality and then allow the system to continue
to boot.
In our particular case, we had someone accidentally delete quite a few
/etc/krb5.keytab files which will break SSSD-AD, but any service failure
ought to apply the same way.
I've worked around this in Ubuntu by adding an sssd-override.conf file
to systemd and this has proven to resolve the issue.
My own override.conf file also adds ConditionPathExists entries for
sssd.conf and krb5.keytab but that's overkill, and only the sssd.conf
ConditionPathExists would apply to a base non-kerberos, non-AD SSSD
installation, so disregard that part.
sssd-override.conf:
```
# {{ ansible_managed }}
# This drop-in makes sssd failures non-fatal for boot and prevents fast restart
loops.
# Lines explained:
# [Unit]/FailureAction=none -> Don't take global actions
(reboot/poweroff) if sssd fails.
# [Unit]/ConditionPathExists=... -> Only start sssd if it's configured.
# [Unit]/StartLimitIntervalSec=0 -> Disable start-rate window so we don't
hit limiter weirdness.
# [Service]/Restart=on-failure -> Retry only on abnormal failure (not on
clean stops).
# [Service]/RestartSec=10 -> Back off between retries; avoids
hammering LDAP/DNS.
# [Service]/TimeoutStartSec=30 -> Fail fast if startup hangs; prevents
boot stalls.
#
# 2025-09-09 - Kodiak Firesmith <[email protected]>
[Unit]
FailureAction=none
ConditionPathExists=/etc/sssd/sssd.conf
ConditionPathExists=/etc/krb5.keytab
StartLimitIntervalSec=5min
StartLimitBurst=2
[Service]
Restart=on-failure
RestartSec=10s
TimeoutStartSec=30s
```
** Affects: sssd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2122722
Title:
SSSD downstream systemd service unit causes a boot loop in certain
circumstances
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2122722/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
