Change of behaviour on 2.9.0 w.r.t. domain definitions

[sergiodj]

Hi,

In Debian/Ubuntu, one of gdm3's test cases defines /etc/sssd/sssd.conf as:

[sssd]
enable_files_domain = True
services = pam

[certmap/implicit_files/tester]
matchrule = <SUBJECT>.*Test Organization.*

[pam]
pam_cert_db_path = /tmp/sssd-softhsm2-gdm-certs-tmU4Jz/test-full-chain-CA.pem
pam_cert_verification = $verification_options
pam_cert_auth = True
pam_verbosity = 10
debug_level = 10

Note that there's no domain defined.

This used to work with sssd 2.8.2, but is now failing with sssd 2.9.1:

Jul 17 18:55:35 autopkgtest-lxd-gkskqb systemd[1]: Starting sssd.service - System Security Services Daemon...
Jul 17 18:55:35 autopkgtest-lxd-gkskqb sssd[11743]: SSSD couldn't load the configuration database [1432158246]: No domain is enabled
Jul 17 18:55:35 autopkgtest-lxd-gkskqb systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Jul 17 18:55:35 autopkgtest-lxd-gkskqb systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 17 18:55:35 autopkgtest-lxd-gkskqb systemd[1]: Failed to start sssd.service - System Security Services Daemon.

We believe that commit b38fdc8 might have been responsible for this change in behaviour here. Is this intentional?

Thanks in advance.

[alexey-tikhonov]

Hi @sergiodj,

enable_files_domain = True

This option adds implicit "id_provider=files".

Since 2.9.0 "id_provider=files" is deprecated and its support isn't built by default (see release notes - https://github.com/SSSD/sssd/releases/tag/2.9.0)
Looks like https://salsa.debian.org/sssd-team/sssd/-/blob/debian/2.9.1-1/debian/rules doesn't add --with-files-provider ./configure switch required to enable its support (btw, it also still uses '--disable-files-domain' that doesn't make sense anymore).

If you really want to support (and test) use case "smart card auth of local users" (as in quoted sssd.conf) then sssd has to be built --with-files-provider for a time being (by sssd-2.10 #6633 should be completed and use case should be supported via 'id_provider = proxy').

[sergiodj]

Hey @alexey-tikhonov , thank you very much for the reply.

Gotcha. The files provider seems to have been disabled in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888207, so I'm getting in touch with the Debian maintainer to see what can be done in this case. Thanks again.

[alexey-tikhonov]

Hi @sergiodj,

The files provider seems to have been disabled in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888207, so I'm getting in touch with the Debian maintainer to see what can be done in this case.

I know this might be confusing so I'll try to clarify just in case.

In the past (pre-sssd-2.9), the code that implements 'files provider' (i.e. 'id_provider=files') functionality was built unconditionally.

But there was ./configure switch --enable/disable-files-domain that was used to change default value of enable_files_domain sssd.conf option. This option is merely a "shortcut" to add a domain with "id_provider = files" without explicit [domain] defintion.

sssd-2.8 deprecated this --enable/disable-files-domain ./configure option.
sssd-2.9:

• removed --enable/disable-files-domain ./configure option (now enable_files_domain defaults to 'false' unconditionally)
• introduced new ./configure option - --with-files-provider - that is used to conditionally build 'files provider' code (and if it's not built then enable_files_domain can't be used in sssd.conf at all)

The bug you referenced - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888207 - is old and is about --enable/disable-files-domain ./configure option.
Please point Debian maintainer to this explanation.
Also please let me know if it's still unclear (I know it might be).

[sergiodj]

Thank you very much, @alexey-tikhonov. It's certainly more clear to me now. I proposed a change against the Debian package and now I'm waiting for the maintainer to review.

[sergiodj]

Thanks for the invaluable help, @alexey-tikhonov . I'm closing this bug since it was a downstream problem.