After converting a system to sssd with an IPA backend, we found that cron was not recognizing our users. It appears (based on using lsof to see what .so files are open) that cron is reading nsswitch.conf at startup, and doesn’t notice the change when sssd setup adds sss to the user map in nsswitch.conf. Restarting cron fixes it, but we’ve now got another Ubuntu-specific hack in our Ansible setup script.
On Mon, Aug 26, 2019 at 01:37:43PM +0000, Charles Hedrick wrote:
After converting a system to sssd with an IPA backend, we found that cron was not recognizing our users. It appears (based on using lsof to see what .so files are open) that cron is reading nsswitch.conf at startup, and doesn’t notice the change when sssd setup adds sss to the user map in nsswitch.conf. Restarting cron fixes it, but we’ve now got another Ubuntu-specific hack in our Ansible setup script.
This is not specific to RHEL or Ubuntu, this is how libc behaves.
Fedora/RHEL includes 'sss' in nsswitch.conf by default precisely for this reason.
Cute. I wondered why the problem didn’t happen on Centos. That explains it, but wasn’t at all the explanation I was expecting.
On Aug 26, 2019, at 9:41 AM, Jakub Hrozek <jhrozek@redhat.commailto:jhrozek@redhat.com> wrote:
Fedora/RHEL includes 'sss' in nsswitch.conf by default precisely for this reason.
btw I think it would be prudent for Ubuntu to include 'sss' by default as well. There's very little downside to it even if sssd is not running (if the answer is not found in nss_files or if all databases are to be consulted, nss_sss tries to open a socket towards sssd, fails) and RHEL has been doing that since RHEL-7 at least, IIRC even since some later RHEL-6 releases.
btw here is a RHEL bug (open since 2004..) that asks for libc to implement auto-reloading: https://bugzilla.redhat.com/show_bug.cgi?id=132608 unfortunately it doesn't link to the glibc upstream bugzilla. But I completely trust the glibc developers that this is non-trivial.
On Thu, Aug 29, 2019 at 01:43:07PM +0000, Charles Hedrick wrote:
Cute. I wondered why the problem didn’t happen on Centos. That explains it, but wasn’t at all the explanation I was expecting.
On Aug 26, 2019, at 9:41 AM, Jakub Hrozek <jhrozek@redhat.commailto:jhrozek@redhat.com> wrote:
Fedora/RHEL includes 'sss' in nsswitch.conf by default precisely for this reason.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org