Package: freeipa-client Version: 4.9.8-1+b3 Severity: normal Dear Maintainer,
After installing freeipa-client, sssd is configured to activate certain services in /etc/sssd/sssd.conf: ... [sssd] services = nss, pam, ssh, sudo ... but the various sssd-*.socket socket-activated systemd services are enabled by default: # systemctl status sssd-*.socket Loaded: loaded (/lib/systemd/system/sssd-pam.socket; enabled; preset: enabled) Loaded: loaded (/lib/systemd/system/sssd-ssh.socket; enabled; preset: enabled) Loaded: loaded (/lib/systemd/system/sssd-pam-priv.socket; enabled; preset: enabled) Loaded: loaded (/lib/systemd/system/sssd-pam.socket; enabled; preset: enabled) Loaded: loaded (/lib/systemd/system/sssd-nss.socket; enabled; preset: enabled) which leads to errors in the journald log when booting: Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD Sudo Service responder socket. Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD SSH Service responder socket. Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD PAM Service responder private socket. Dec 13 06:24:23 systemd[1]: Failed to listen on SSSD NSS Service responder socket. Dec 13 06:25:14 systemd[1]: Dependency failed for SSSD PAM Service responder socket. each preceded by warnings (which are similar for all services): Dec 13 06:24:23 sssd_check_socket_activated_responders[511]: The sudo responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf. Dec 13 06:24:23 sssd_check_socket_activated_responders[511]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the sudo's socket by calling: Dec 13 06:24:23 sssd_check_socket_activated_responders[511]: "systemctl disable sssd-sudo.socket" Our action is to systematically disable these services: # systemctl disable sssd-nss.socket # systemctl disable sssd-pam.socket # systemctl disable sssd-pam-priv.socket # systemctl disable sssd-sudo.socket # systemctl disable sssd-ssh.socket which removes the error messages when booting, without affecting operations. (Tested over many months on bullseye/stable with the freeipa-client from backports) Please note, that on RHEL 8, these 5 socket-activated services are disabled by default. While this issue does not affect operations, it creates unnecessary error notifications by each reboot, which are disturbing for system administrators. My suggestion would be to disable these services when the freeipa- client package is installed. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.0.0-5-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages freeipa-client depends on: ii bind9-dnsutils [dnsutils] 1:9.18.8-1 ii bind9-utils 1:9.18.8-1 ii certmonger 0.79.16-1+b1 ii curl 7.86.0-2 ii freeipa-common 4.9.8-1 ii krb5-user 1.20.1-1 ii libc6 2.36-6 ii libcom-err2 1.46.6~rc1-1+b1 ii libcurl4 7.86.0-2 ii libini-config5 0.6.2-1 ii libjansson4 2.14-2 ii libk5crypto3 1.20.1-1 ii libkrb5-3 1.20.1-1 ii libldap-2.5-0 2.5.13+dfsg-2+b1 ii libnss-sss 2.8.1-1 ii libnss3-tools 2:3.85-1 ii libpam-sss 2.8.1-1 ii libpopt0 1.19+dfsg-1 ii libsasl2-modules-gssapi-mit 2.1.28+dfsg-10 ii libssl3 3.0.7-1 ii libsss-sudo 2.8.1-1 ii oddjob-mkhomedir 0.34.7-1+b1 ii python3 3.10.6-1 ii python3-dnspython 2.2.1-2 ii python3-gssapi 1.8.2-1 ii python3-ipaclient 4.9.8-1 ii python3-ldap 3.4.3-2+b1 ii python3-sss 2.8.1-1 ii sssd 2.8.1-1 Versions of packages freeipa-client recommends: ii chrony 4.3-1+b1 Versions of packages freeipa-client suggests: pn libpam-krb5 <none> -- no debconf information