So… I kept getting a message like this every. single. time. I. used. sudo.
Subject: *** SECURITY information for server.domain.example.com ***
Message: server.domain.example.com : Oct 19 14:17:50 : yaleman : problem with defaults entries ; TTY=pts/0 ; PWD=/home/yaleman ; USER=root ;
Doing some searching, it turns out it’s some issue with local accounts and an interaction between sudo and sssd where defaults aren’t being presented to sssd from FreeIPA/LDAP. It’s more a warning than a bug, but it’s freaking annoying.
My original fix was to just create the file with the fixed lines in it, as mentioned in this superuser.com discussion about the issue - the useful fix isn’t the accepted one, it’s this one lower down. That didn’t seem to work, because I got a weird I/O error… I even tried copying the “default” config and running it as-is (or editing it):
$ sudo cp /usr/lib/x86_64-linux-gnu/sssd/conf/sssd.conf /etc/sssd/
$ sudo systemctl start sssd
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
$ sudo systemctl status sssd.service
● sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2019-10-19 14:05:52 AEST; 8s ago
Process: 9032 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 9032 (code=exited, status=4)
Oct 19 14:05:51 server systemd[1]: Starting System Security Services Daemon...
Oct 19 14:05:52 server sssd[9032]: Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessib>
Oct 19 14:05:52 server systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Oct 19 14:05:52 server systemd[1]: sssd.service: Failed with result 'exit-code'.
Oct 19 14:05:52 server systemd[1]: Failed to start System Security Services Daemon.
That’s weird, I can’t read the file, as root, because it’s not accessible? Lemme run this manually with logging cranked up a bit…
$ sudo sssd -i --debug-level 6 -c /etc/sssd/sssd.conf
(Sat Oct 19 14:08:26:432251 2019) [sssd] [check_file] (0x0400): lstat for [/var/run/nscd/socket] failed: [2][No such file or directory].
(Sat Oct 19 14:08:26:432388 2019) [sssd] [check_file] (0x0400): lstat for [/var/run/sssd.pid] failed: [2][No such file or directory].
(Sat Oct 19 14:08:26:659686 2019) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Sat Oct 19 14:08:26:660341 2019) [sssd] [confdb_ldif_from_ini_file] (0x0020): Permission check on config file failed.
(Sat Oct 19 14:08:26:660400 2019) [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1]: [Operation not permitted]
(Sat Oct 19 14:08:26:660472 2019) [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1]: Operation not permitted
(Sat Oct 19 14:08:26:660567 2019) [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1]: Operation not permitted
(Sat Oct 19 14:08:26:660612 2019) [sssd] [main] (0x0020): Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the owner and owned by root.root.
Oh.
$ sudo chown root. /etc/sssd/sssd.conf
$ sudo chmod 0600 /etc/sssd/sssd.conf
$ sudo systemctl start sssd
Win!
Dear systemd - why would you truncate a log file instead of wrapping the output?
Config file
This is how it currently stands, with some replacements for a little bit of security 😆
[domain/domain.example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = domain.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = server.domain.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa.domain.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
domains = domain.example.com
[nss]
homedir_substring = /home