Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1362494

Summary: sssctl requires ifp to be enabled manually
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Dan Lavu <dlavu>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: dlavu, fidencio, grajaiya, jhrozek, lslebodn, michaelv, mkosek, mzidek, pbrezina, sgoveas, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: sssd-1.15.0-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 08:58:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Thorsten Scherf 2016-08-02 11:12:53 UTC
Description of problem:

sssctl requires ifp to be added manually to sssd.conf. Even if we add a note to the documentation, customers will file bugs about this.

Here are some proposals how to fix it:

a) enable ifp by default
b) make ifp socket-activated by systemd
c) print a warning on the console saying what needs to be done to make sssctl work

For the GA release I strongly recommend to implement at least c).

Version-Release number of selected component (if applicable):

How reproducible:
# grep services /etc/sssd/sssd.conf
services = nss, sudo, pam, ssh

# sssctl list-domains
Unable to get domains list [3]: Communication error
org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Check that SSSD is running and the InfoPipe responder is enabled.

# sed -i 's/services = nss, sudo, pam, ssh/services = nss, sudo, pam, ssh, ifp/' /etc/sssd/sssd.conf

# systemctl restart sssd

# grep services /etc/sssd/sssd.conf
services = nss, sudo, pam, ssh, ifp
# sssctl list-domains

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 1 Pavel Březina 2016-08-04 12:45:31 UTC
The error message already says that the InfoPipe needs to be enabled. What would you like to see more?

"Check that SSSD is running and the InfoPipe responder is enabled."

Comment 2 Thorsten Scherf 2016-08-04 15:27:47 UTC
Something like this:

"Please add the ifp service to the service list in sssd.conf and restart the service afterwards."

Comment 3 Jakub Hrozek 2016-08-10 15:38:18 UTC
Upstream ticket:

Comment 4 Jakub Hrozek 2016-08-10 15:39:09 UTC
Upstream ticket:

Comment 5 Jakub Hrozek 2016-08-10 15:42:14 UTC
I linked this bugzilla to two upstream tickets, one tracks the socket-activation of IFP and targets 7.4. The other tracks the better info message and tracks 7.3.

Comment 6 Lukas Slebodnik 2016-08-18 11:53:22 UTC
* 9b86f8f3c07af6fd3d2b08ff66cf9dcce61e7abf

only #3130 is fixed.

Comment 7 Jakub Hrozek 2016-08-25 11:06:28 UTC
(In reply to Lukas Slebodnik from comment #6)
> master:
> * 9b86f8f3c07af6fd3d2b08ff66cf9dcce61e7abf
> only #3130 is fixed.

Right, that commit is in RHEL as well, but I would prefer to use this bugzilla for the socket-activation.

Comment 8 Lukas Slebodnik 2017-01-23 18:01:38 UTC
* 9222a4fcbeec9d5a6f84aab31a5131f14d4a6430

Comment 15 Dan Lavu 2017-05-16 14:23:43 UTC
Verified against sssd-1.15.2-24.el7.x86_64

[root@auto-hv-01-guest01 ~]# sssctl domain-list

# /etc/sssd/sssd.conf 

domains =
config_file_version = 2
services = nss, pam

--- SNIP ----

Comment 16 errata-xmlrpc 2017-08-01 08:58:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.