On Wed, Mar 16, 2022 at 6:04 AM Alexey Tikhonov wrote:
> How would you use SSSD without any domain configured?
I have a host on which I kinit against principals in Kerberos realms
for which the host is not joined and has no other sssd services
running, and I use KCM as the Kerberos credentials
On (15/03/22 18:45), Brian J. Murrell wrote:
>I am getting some SELinux AVC alerts for a given process in a given domain
>that seems to want to be able to read files in /var/lib/sss/.
>
>strace(1)ing the (unprivileged) process it seem to want to do the following:
>
>4024612 openat(AT_FDCWD,
On Wed, Mar 16, 2022 at 11:39 AM Brian J. Murrell
wrote:
> > Hi,
>
> Hi.
>
> > What OS are running on your system?
>
> EL8.5
>
Did you tune any default selinux policies?
>
>
> > What is the output of `cat /etc/nsswitch.conf | grep passwd` on your
> > system?
>
> passwd: sss files systemd
>
> Hi,
Hi.
> What OS are running on your system?
EL8.5
> What is the output of `cat /etc/nsswitch.conf | grep passwd` on your
> system?
passwd: sss files systemd
> Do you use SSSD on purpose?
Yes. I use FreeIPA here.
So it's not at all surprising to see these /var/lib/sss accesses. I
Hi,
On Wed, Mar 16, 2022 at 5:17 AM James Ralston wrote:
> For recent versions of sssd, the monitor (the sssd.service) won’t even
> start unless at least one domain is configured.
>
> As sssd.conf(5) notes, all sssd services can be socket-activated when
> needed. There is no need to list any