sssd and the sudo alerts

So… I kept getting a message like this every. single. time. I. used. sudo.

Subject: *** SECURITY information for ***
Message: : Oct 19 14:17:50 : yaleman : problem with defaults entries ; TTY=pts/0 ; PWD=/home/yaleman ; USER=root ;

Doing some searching, it turns out it’s some issue with local accounts and an interaction between sudo and sssd where defaults aren’t being presented to sssd from FreeIPA/LDAP. It’s more a warning than a bug, but it’s freaking annoying.

My original fix was to just create the file with the fixed lines in it, as mentioned in this discussion about the issue - the useful fix isn’t the accepted one, it’s this one lower down. That didn’t seem to work, because I got a weird I/O error… I even tried copying the “default” config and running it as-is (or editing it):

$ sudo cp /usr/lib/x86_64-linux-gnu/sssd/conf/sssd.conf /etc/sssd/
$ sudo systemctl start sssd
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
$ sudo systemctl status sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/lib/systemd/system/sssd.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sat 2019-10-19 14:05:52 AEST; 8s ago
  Process: 9032 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
 Main PID: 9032 (code=exited, status=4)

Oct 19 14:05:51 server systemd[1]: Starting System Security Services Daemon...
Oct 19 14:05:52 server sssd[9032]: Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessib>
Oct 19 14:05:52 server systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Oct 19 14:05:52 server systemd[1]: sssd.service: Failed with result 'exit-code'.
Oct 19 14:05:52 server systemd[1]: Failed to start System Security Services Daemon.

That’s weird, I can’t read the file, as root, because it’s not accessible? Lemme run this manually with logging cranked up a bit…

$ sudo sssd -i --debug-level 6 -c /etc/sssd/sssd.conf
(Sat Oct 19 14:08:26:432251 2019) [sssd] [check_file] (0x0400): lstat for [/var/run/nscd/socket] failed: [2][No such file or directory].
(Sat Oct 19 14:08:26:432388 2019) [sssd] [check_file] (0x0400): lstat for [/var/run/] failed: [2][No such file or directory].
(Sat Oct 19 14:08:26:659686 2019) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Sat Oct 19 14:08:26:660341 2019) [sssd] [confdb_ldif_from_ini_file] (0x0020): Permission check on config file failed.
(Sat Oct 19 14:08:26:660400 2019) [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1]: [Operation not permitted]
(Sat Oct 19 14:08:26:660472 2019) [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1]: Operation not permitted
(Sat Oct 19 14:08:26:660567 2019) [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1]: Operation not permitted
(Sat Oct 19 14:08:26:660612 2019) [sssd] [main] (0x0020): Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the owner and owned by root.root.


$ sudo chown root. /etc/sssd/sssd.conf
$ sudo chmod 0600 /etc/sssd/sssd.conf
$ sudo systemctl start sssd


Dear systemd - why would you truncate a log file instead of wrapping the output?

Config file

This is how it currently stands, with some replacements for a little bit of security 😆

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain =
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname =
chpass_provider = ipa
ipa_server = _srv_,
ldap_tls_cacert = /etc/ipa/ca.crt

services = nss, sudo, pam, ssh
domains =

homedir_substring = /home


#sssd #sudo #freeipa #errors #fixes #linux #howto