-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KCM in non systemd computers? #5574
Comments
Did you try to add 'kcm' to sssd.conf::services list? |
No, I haven't tried anything yet as I figure it will break if I don't address the lack of socket activation. |
I guess I can start sssd_kcm as a normal openrc service at boot but is that enough? |
@pbrezina , do you remember if we support running |
I just tested to start sssd_kcm and sssd_secrets to see what happened, started just fine. However, after a few mins of inactivity |
Why do you need
Try setting |
Oh, I just saw that there was one. Good to know I can skip that one then :)
I did in sssd.conf:
Seems to work, I do think an option to sssd_kcm would be cleaner, sssd.conf should not be adjusted for this I think. When should sssd_kcm be started(if a service)? As early as possible, just before or after sssd? |
Q: sssd(without KCM) can renew tickets it has created itself(pam_sss) I think. |
Why socket activation? Is it just an optimization or is there some function behind it? |
So I have started kcm as a service and seem to be working well and change krb5.conf: default_ccache_name = KCM:
I am stumped, why don't I grep the KCM cache?
|
After rebooting I got a KCM: cache, no idea why not restartin sssd/sssd-kcm worked |
Now I think the remaining Q is, when should sssd-kcm service start(early as possible, just before or after sssd)? |
sudo does not work as before:
What is missing ? |
could not sssd start sssd_kcm, just like sssd does with sssd_be, sssd_nss, sssd_pam etc? |
Did you try this? |
How? doesn't that require soem code in sssd ? |
This does not work 100% There are case when kcm terminates on its own, not sure when. All in all, KCM does not seem ready yet, there are a few bugs here that are must have. |
@justin-stephenson, probably you could help here answering some of the questions. |
@joakim-tjernlund What distribution do you run that doesn't have systemd? What sssd version do you run? In general, sssd-kcm was intended to be socket activate. Other ways of starting it may be possible but we don't official support them nor test them. At least, starting sssd_kcm manully works since I use it from time to time to debug it. Second option is to add it to services line in sssd.conf. The process is socket activated since it usually does not need to run all the time. Termination can be avoided by setting responder_idle_timeout = 0 as Alexey already suggested. If that does not work correctly, we need to see some logs.
Yes, sssd-kcm can run without other sssd processes. It is its own systemd service (sssd-kcm.service) that you can start, but we don't official support it without systemd. |
I guess you need to set KRB5CCNAME to "KCM:$uid" and let sudo.conf keep this env var (which you probably already do). |
Gentoo, it has systemd but systemd bugs for us whenever we try it. Seems like there are some rough corners left in systemd in a corporate setting. We run sssd master ATM
Tried responder_idle_timeout = 0 but it does not work fully, I think kdestroy on the last ticket makes KCM terminate. socket activation is still debated if it adds value or not, I wish you would support both. If I am to support non socket activation by myself it is really too much, digging into sssd codebase is a big investment and you would probably reject any patches as it is not supported. |
I'm not aware of such logic in the code, can you provide logs?
We support both with systemd - you can just run 'systemctl enable --now sssd-kcm.service' (and setting responder_idle_timeout). So the question is if you want to get rid of socket activation or systemd as whole. If you want to get rid of systemd completely, that is something we don't officially support fo kcm. |
Been trying for 24 hours now to get logs but the problem has not shown itself :(
Not systemd, we use elogind as replacement so that is fine. I was not aware you supported KCM as a service too in systemd, good. Is that something you test on a regular basis too? The one requset I have is that one should not have edit sssd.conf to switch between socket activation/service. Image you had to set socket_activation = true in sssd.conf before you could start that part. |
Unfortunately, |
Dear Contributor/User, Recognizing the importance of addressing enhancements, bugs, and issues for the SSSD project's quality and reliability, we also need to consider our long-term goals and resource constraints. After thoughtful consideration, regrettably, we are unable to address this request at this time. To avoid any misconception, we're closing it; however, we encourage continued collaboration and contributions from anyone interested. We apologize for any inconvenience and appreciate your understanding of our resource limitations. While you're welcome to open a new issue (or reopen this one), immediate attention may not be guaranteed due to competing priorities. Thank you once again for sharing your feedback. We look forward to ongoing collaboration to deliver the best possible solutions, supporting in any way we can. Best regards, |
As I understand it, KCM is socket activated in systemd. Non systemd users may not have socket activated services.
Is it possible to use KCM in such systems as well?
The text was updated successfully, but these errors were encountered: