I'm trying to determine whether this is a known feature, a dumb user problem with a known workaround, or a problem.
I don't seem to be able to run a systemd service as a user provided by sssd? I joined my Fedora 19 analysis machine to my freeipa domain and configured sssd to allow logins from my AD. The simple access provider lets me in and disallows everyone else. Prior to this conversion, I had been running "ipython notebook" as me-the-local-user, as a systemd unit. All my files have been chowned so that my new domain login plays nice with them.
I can run "ipython notebook" (which is how the service is started) from the command line and it works.
The problem is, systemd is consistently failing with an exit code of 217/USER. I made a local user ('ipython'), and systemd runs perfectly fine. Systemd seems to want its users to exist in /etc/passwd. (getent passwd <me>) succeeds).
Ordinarily, this is where I'd say "fine, ship it". But my multi TB data files are on an NFS mount, and they're owned by me-the-domain-user. The local 'ipython' account can't manipulate them, and any new files it makes on the NFS mount will be owned by uidNumber 1000, which doesn't belong to any domain user. Note that prior to this, I was manually coordinating UIDs in password files, which is why this worked: same UID as other systems, user in the password file, everything works out.
Is there any way to run a system service as an sssd-provided domain user? For the moment, I guess I'm disabling this systemd service and running the server by hand inside a screen session.
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
On 09/10/2014 07:11 PM, Nordgren, Bryce L -FS wrote:
I’m trying to determine whether this is a known feature, a dumb user problem with a known workaround, or a problem.
I don’t seem to be able to run a systemd service as a user provided by sssd? I joined my Fedora 19 analysis machine to my freeipa domain and configured sssd to allow logins from my AD. The simple access provider lets me in and disallows everyone else. Prior to this conversion, I had been running “ipython notebook” as me-the-local-user, as a systemd unit. All my files have been chowned so that my new domain login plays nice with them.
I can run “ipython notebook” (which is how the service is started) from the command line and it works.
The problem is, systemd is consistently failing with an exit code of 217/USER. I made a local user (‘ipython’), and systemd runs perfectly fine. Systemd seems to want its users to exist in /etc/passwd. (getent passwd <me>) succeeds).
Ordinarily, this is where I’d say “fine, ship it”. But my multi TB data files are on an NFS mount, and they’re owned by me-the-domain-user. The local ‘ipython’ account can’t manipulate them, and any new files it makes on the NFS mount will be owned by uidNumber 1000, which doesn’t belong to any domain user. Note that prior to this, I was manually coordinating UIDs in password files, which is why this worked: same UID as other systems, user in the password file, everything works out.
Is there any way to run a system service as an sssd-provided domain user? For the moment, I guess I’m disabling this systemd service and running the server by hand inside a screen session.
Do I get it right that you are not actually trying to run systemd itself as a user but to start a service by systemd that will run as an SSSD user. You might have chicken and egg problem because the user might not be available until SSSD is started and running. So I think the service you are trying to start should be dependent on SSSD and make sure that SSSD is running.
Sorry if I misunderstood what you are trying to do.
Dmitri
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Do I get it right that you are not actually trying to run systemd itself as a user but to start a service by systemd that will run as an SSSD user. You might have chicken and egg problem because the user might not be available until SSSD is started and running. So I think the service you are trying to start should be dependent on SSSD and make sure that SSSD is running.
Sorry if I misunderstood what you are trying to do.
Dmitri
Sorry for not getting back to you earlier, I missed your response. Correct: I'm not altering who runs system itself, but trying to run my "ipython-notebook" service as my own domain user account.
I can't even get it to work manually, after I've logged in using the account with which I'm trying to run the service. Sorry the following is ellipsized, I can only get to the non-ellipsized parts with journalctl and a pager, but they really don't add value. The important part is code=exited, status=217/USER, which is a systemd code, not an ipython code:
[bnordgren@lugosi ~]$ sudo systemctl start ipython-notebook [bnordgren@lugosi ~]$ sudo systemctl status ipython-notebook ipython-notebook.service - IPython notebook service Loaded: loaded (/etc/systemd/system/ipython-notebook.service; enabled) Active: failed (Result: exit-code) since Mon 2014-09-15 11:45:32 MDT; 7s ago Process: 15558 ExecStart=/bin/ipython notebook (code=exited, status=217/USER)
Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: Starting IPython notebook ... Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: Started IPython notebook s... Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: ipython-notebook.service: ... Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: Unit ipython-notebook.serv... [bnordgren@lugosi ~]$ sudo cat /etc/systemd/system/ipython-notebook.service [Unit] Description=IPython notebook service After=syslog.target network.target
[Service] Type=simple User=bnordgren ExecStart=/bin/ipython notebook KillMode=process Environment=PYTHONPATH=/home/bnordgren/src/pylsce
[Install] WantedBy=multi-user.target [bnordgren@lugosi ~]$ getent passwd bnordgren bnordgren:*:10001:10000:Nordgren, Bryce L -FS:/home/bnordgren:/bin/bash [bnordgren@lugosi ~]$ /bin/ipython notebook [NotebookApp] Using existing profile dir: u'/home/bnordgren/.ipython/profile_default' [NotebookApp] Serving notebooks from /home/bnordgren/notebooks [NotebookApp] The IPython Notebook is running at: http://%5Ball ip addresses on your system]:8888/ipython/ [NotebookApp] Use Control-C to stop this server and shut down all kernels.
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
On 09/15/2014 01:53 PM, Nordgren, Bryce L -FS wrote:
Do I get it right that you are not actually trying to run systemd itself as a user but to start a service by systemd that will run as an SSSD user. You might have chicken and egg problem because the user might not be available until SSSD is started and running. So I think the service you are trying to start should be dependent on SSSD and make sure that SSSD is running.
Sorry if I misunderstood what you are trying to do. Dmitri
Sorry for not getting back to you earlier, I missed your response. Correct: I'm not altering who runs system itself, but trying to run my "ipython-notebook" service as my own domain user account.
I can't even get it to work manually, after I've logged in using the account with which I'm trying to run the service. Sorry the following is ellipsized, I can only get to the non-ellipsized parts with journalctl and a pager, but they really don't add value. The important part is code=exited, status=217/USER, which is a systemd code, not an ipython code:
[bnordgren@lugosi ~]$ sudo systemctl start ipython-notebook [bnordgren@lugosi ~]$ sudo systemctl status ipython-notebook ipython-notebook.service - IPython notebook service Loaded: loaded (/etc/systemd/system/ipython-notebook.service; enabled) Active: failed (Result: exit-code) since Mon 2014-09-15 11:45:32 MDT; 7s ago Process: 15558 ExecStart=/bin/ipython notebook (code=exited, status=217/USER)
Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: Starting IPython notebook ... Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: Started IPython notebook s... Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: ipython-notebook.service: ... Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: Unit ipython-notebook.serv... [bnordgren@lugosi ~]$ sudo cat /etc/systemd/system/ipython-notebook.service [Unit] Description=IPython notebook service After=syslog.target network.target
[Service] Type=simple User=bnordgren ExecStart=/bin/ipython notebook KillMode=process Environment=PYTHONPATH=/home/bnordgren/src/pylsce
[Install] WantedBy=multi-user.target [bnordgren@lugosi ~]$ getent passwd bnordgren bnordgren:*:10001:10000:Nordgren, Bryce L -FS:/home/bnordgren:/bin/bash [bnordgren@lugosi ~]$ /bin/ipython notebook [NotebookApp] Using existing profile dir: u'/home/bnordgren/.ipython/profile_default' [NotebookApp] Serving notebooks from /home/bnordgren/notebooks [NotebookApp] The IPython Notebook is running at: http://%5Ball ip addresses on your system]:8888/ipython/ [NotebookApp] Use Control-C to stop this server and shut down all kernels.
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
I am not sure this is the best list for this question. May be you should ask systemd guys.
I am not sure this is the best list for this question. May be you should ask systemd guys.
Helpful soul on freeipa list pointed me to https://bugzilla.redhat.com/show_bug.cgi?id=915912#c19
Summarized as: Running a service as a domain user will not be supported by systemd as system users must be available without the network.
Solving this (one way or another) will be part of https://fedorahosted.org/freeipa/ticket/4544. Whether there needs to be an sssd ticket or not probably depends on the strategy selected to solve this problem.
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/15/2014 01:53 PM, Nordgren, Bryce L -FS wrote:
Do I get it right that you are not actually trying to run systemd itself as a user but to start a service by systemd that will run as an SSSD user. You might have chicken and egg problem because the user might not be available until SSSD is started and running. So I think the service you are trying to start should be dependent on SSSD and make sure that SSSD is running.
Sorry if I misunderstood what you are trying to do.
Dmitri
Sorry for not getting back to you earlier, I missed your response. Correct: I'm not altering who runs system itself, but trying to run my "ipython-notebook" service as my own domain user account.
I can't even get it to work manually, after I've logged in using the account with which I'm trying to run the service. Sorry the following is ellipsized, I can only get to the non-ellipsized parts with journalctl and a pager, but they really don't add value. The important part is code=exited, status=217/USER, which is a systemd code, not an ipython code:
[bnordgren@lugosi ~]$ sudo systemctl start ipython-notebook [bnordgren@lugosi ~]$ sudo systemctl status ipython-notebook ipython-notebook.service - IPython notebook service Loaded: loaded (/etc/systemd/system/ipython-notebook.service; enabled) Active: failed (Result: exit-code) since Mon 2014-09-15 11:45:32 MDT; 7s ago Process: 15558 ExecStart=/bin/ipython notebook (code=exited, status=217/USER)
Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: Starting IPython notebook ... Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: Started IPython notebook s... Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: ipython-notebook.service: ... Sep 15 11:45:32 lugosi.usfs-i2.umt.edu systemd[1]: Unit ipython-notebook.serv... [bnordgren@lugosi ~]$ sudo cat /etc/systemd/system/ipython-notebook.service [Unit] Description=IPython notebook service After=syslog.target network.target
[Service] Type=simple User=bnordgren ExecStart=/bin/ipython notebook KillMode=process Environment=PYTHONPATH=/home/bnordgren/src/pylsce
[Install] WantedBy=multi-user.target [bnordgren@lugosi ~]$ getent passwd bnordgren bnordgren:*:10001:10000:Nordgren, Bryce L -FS:/home/bnordgren:/bin/bash [bnordgren@lugosi ~]$ /bin/ipython notebook [NotebookApp] Using existing profile dir: u'/home/bnordgren/.ipython/profile_default' [NotebookApp] Serving notebooks from /home/bnordgren/notebooks [NotebookApp] The IPython Notebook is running at: http://%5Ball ip addresses on your system]:8888/ipython/ [NotebookApp] Use Control-C to stop this server and shut down all kernels.
I just attempted to reproduce this issue on Fedora 21 Alpha with: systemd-215-14.fc21.x86_64 sssd-1.12.1-1.fc21.x86_64
Everything worked exactly as expected. I suspect there was a bug in either systemd or SSSD in Fedora 19 that has been subsequently addressed.
sssd-users@lists.fedorahosted.org