On 01/08/2017 09:44 PM, Fabiano Fidêncio wrote:
People,
Recently I've faced some issues when testing the socket-activation
working running as sssd-user, which will force me to take a different
path for a few things and I really would like to know your opinion on
those things.
So, currently, this is what the nss.service looks like:
[Unit]
Description=SSSD NSS Service responder
Documentation=man:sssd.conf(5)
After=sssd.service
BindsTo=sssd.service
[Install]
Also=sssd-nss.socket
[Service]
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_nss.log
ExecStart=@libexecdir@/sssd/sssd_nss --debug-to-files --unprivileged-start
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
PermissionsStartOnly=true
As you probably noticed, I've been using systemd's machinery to change
the debug files' owner and to start the responder by the proper user
(sssd or root). Well, it doesn't work that well as expected as systemd
ends up calling initgroups(sssd, ...) in order to start any service
using "sssd" user and this call is done _before_ starting the NSS
responder, which will hang for the "default client timeout" (300s).
Okay, we have to change it and here is where I need your help!
The simplest solution would be to disable socket activation for NSS
responder. Socket activation is supposed to be used for responders that
are seldom used.
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
