SSSD binaries capabilities have changed

[alexth4ef9]

Describe the bug

Followup to #1818

Since 41.20241229 sssd.service fails to start.

Dec 29 23:20:23 <redacted> systemd[1]: Starting sssd.service - System Security Services Daemon...
Dec 29 23:20:23 <redacted> sssd[10805]: [sssd] [sss_ini_open] (0x0100): sss_ini_config_file_open() failed [13]: Permission denied
Dec 29 23:20:23 <redacted> sssd[10805]: [sssd] [sss_ini_read_sssd_conf] (0x0020): sss_ini_open() on '/etc/sssd/sssd.conf' failed [13>
Dec 29 23:20:23 <redacted> sssd[10805]: Can't read config: 'Failed to open main config file'
Dec 29 23:20:23 <redacted> sssd[10805]: Failed to read configuration: 'Failed to open main config file'
Dec 29 23:20:23 <redacted> sssd[10805]: Make sure configuration is readable by the user used to run service and doesn't have public >
Dec 29 23:20:23 <redacted> systemd[1]: sssd.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
Dec 29 23:20:23 <redacted> systemd[1]: sssd.service: Failed with result 'exit-code'.
Dec 29 23:20:23 <redacted> systemd[1]: Failed to start sssd.service - System Security Services Daemon.
Dec 29 23:22:26 <redacted> systemd[1]: Starting sssd.service - System Security Services Daemon...
Dec 29 23:22:27 <redacted> sssd[12848]: [sssd] [sss_ini_open] (0x0100): sss_ini_config_file_open() failed [13]: Permission denied
Dec 29 23:22:27 <redacted> sssd[12848]: [sssd] [sss_ini_read_sssd_conf] (0x0020): sss_ini_open() on '/etc/sssd/sssd.conf' failed [13>
Dec 29 23:22:27 <redacted> sssd[12848]: Can't read config: 'Failed to open main config file'
Dec 29 23:22:27 <redacted> sssd[12848]: Failed to read configuration: 'Failed to open main config file'
Dec 29 23:22:27 <redacted> sssd[12848]: Make sure configuration is readable by the user used to run service and doesn't have public >
Dec 29 23:22:27 <redacted> systemd[1]: sssd.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
Dec 29 23:22:27 <redacted> systemd[1]: sssd.service: Failed with result 'exit-code'.
Dec 29 23:22:27 <redacted> systemd[1]: Failed to start sssd.service - System Security Services Daemon.

There is a note about the capabilities changes in release 2.10.1
https://sssd.io/release-notes/sssd-2.10.1.html#

Current capabilities in bazzite:

/usr/libexec/sssd/krb5_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/ldap_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

Kinoite 41.20241230.0

/usr/libexec/sssd/krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
/usr/libexec/sssd/ldap_child cap_dac_read_search=p
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

Fedora Workstation 41

rpm -q sssd
sssd-2.10.1-1.fc41.x86_64

getcap /usr/libexec/sssd/*
/usr/libexec/sssd/krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
/usr/libexec/sssd/ldap_child cap_dac_read_search=p
/usr/libexec/sssd/selinux_child cap_setgid,cap_setuid=p
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

What did you expect to happen?

sssd.service should start without error

Dec 29 23:34:06 <redacted> systemd[1]: Starting sssd.service - System Security Services Daemon...
Dec 29 23:34:07 <redacted> sssd[10592]: Starting up
Dec 29 23:34:07 <redacted> sssd_be[10628]: Starting up
Dec 29 23:34:07 <redacted> sssd_pac[10651]: Starting up
Dec 29 23:34:07 <redacted> sssd_nss[10649]: Starting up
Dec 29 23:34:07 <redacted> sssd_pam[10650]: Starting up
Dec 29 23:34:07 <redacted> systemd[1]: Started sssd.service - System Security Services Daemon.

Output of rpm-ostree status

ostree-image-signed:docker://ghcr.io/ublue-os/bazzite-nvidia:stable (index: 0)
                   Digest: sha256:be65a1594a397d9aee8c567a06e1125622b20f595b929789a1424442a61b74cf
                  Version: 41.20241216 (2024-12-16T05:07:37Z)
               BaseCommit: bbcb8ebcaa0f2142729643371f7e14790a764f1836c7df5f28771b2335829ff9
                   Commit: 1d312637b80ad5f3ecd978f1489f95912b804e9b334bc2fcaef444a5210ce11b
                           ├─ copr:copr.fedorainfracloud.org:ilyaz:LACT (2024-11-29T09:45:25Z)
                           ├─ copr:copr.fedorainfracloud.org:matte-schwartz:sunshine (2024-08-12T15:47:19Z)
                           ├─ copr:copr.fedorainfracloud.org:rodoma92:kde-cdemu-manager (2024-10-29T12:13:12Z)
                           ├─ copr:copr.fedorainfracloud.org:rodoma92:rmlint (2024-10-29T12:31:09Z)
                           ├─ copr:copr.fedorainfracloud.org:rok:cdemu (2024-10-21T13:15:21Z)
                           ├─ fedora (2024-10-24T13:55:59Z)
                           ├─ updates (2024-12-16T02:12:16Z)
                           └─ updates-archive (2024-12-16T02:54:59Z)
                   Staged: no
                StateRoot: default
          LayeredPackages: adcli btrbk clevis-dracut epson-inkjet-printer-escpr krb5-workstation oddjob-mkhomedir pam_mount
                           samba-winbind-clients sssd-ad
                   Pinned: yes

  ostree-image-signed:docker://ghcr.io/ublue-os/bazzite-nvidia:stable (index: 1)
                   Digest: sha256:96db1b9520cbbdf24f137867b9da4ed6f4351b401be733ca54bfff0d1aa12de1
                  Version: 41.20241229 (2024-12-29T18:34:39Z)
               BaseCommit: cfbae042872fa9b76235e46254b7d367ee6fcf4d8bfb21fbbdc9fc123c24b285
                   Commit: a5c2bd62486d3144c565c7384d5fec59841096b428c624f641667aecd12c7f7c
                           ├─ copr:copr.fedorainfracloud.org:ilyaz:LACT (2024-11-29T09:45:25Z)
                           ├─ copr:copr.fedorainfracloud.org:matte-schwartz:sunshine (2024-08-12T15:47:19Z)
                           ├─ copr:copr.fedorainfracloud.org:rodoma92:kde-cdemu-manager (2024-10-29T12:13:12Z)
                           ├─ copr:copr.fedorainfracloud.org:rodoma92:rmlint (2024-10-29T12:31:09Z)
                           ├─ copr:copr.fedorainfracloud.org:rok:cdemu (2024-10-21T13:15:21Z)
                           ├─ fedora (2024-10-24T13:55:59Z)
                           ├─ updates (2024-12-29T04:10:55Z)
                           └─ updates-archive (2024-12-29T04:33:49Z)
                StateRoot: default
          LayeredPackages: adcli btrbk clevis-dracut epson-inkjet-printer-escpr krb5-workstation oddjob-mkhomedir pam_mount
                           samba-winbind-clients sssd-ad

Hardware

No response

Extra information or context

No response

[rayrayrayraydog]

Thanks for raising this, I had raised #2032 but it seems this is the better write-up of the issue.

[ABotelho23]

This appears broken on Bluefin as well, I spent a good hour frustrated trying to figure out what was wrong before a friend of mine sent me here.

[castrojo]

Is this the same as the issue you reported in bluefin? https://bugzilla.redhat.com/show_bug.cgi?id=2332433

[ABotelho23]

The missing directories? No, it's something else.

I had successful logins using a FreeIPA account once I was able to layer the freeipa-client package. I think its closer to the missing capabilities of the very original issue: #1818

I haven't had a chance to check them on Bluefin yet. The errors we get back from these packages makes it super weird to determine the actual issue. It's just annoying because FreeIPA logins worked for a few days before they broke again lol

[ABotelho23]

Fedora 41 definitely released with 2.10.0: https://dl.fedoraproject.org/pub/fedora/linux/releases/41/Everything/x86_64/os/Packages/s/sssd-2.10.0-1.fc41.x86_64.rpm

and was recently updated to 2.10.1 (December 15, 2024): https://dl.fedoraproject.org/pub/fedora/linux/updates/41/Everything/x86_64/Packages/s/sssd-2.10.1-1.fc41.x86_64.rpm

OP's working image:

alex@alexdesktop:/var/home/alex$ podman run -it ghcr.io/ublue-os/bazzite-nvidia@sha256:be65a1594a397d9aee8c567a06e1125622b20f595b929789a1424442a61b74cf /bin/bash
bash-5.2# rpm -qa | grep sssd-client
sssd-client-2.10.0-2.fc41.x86_64

OP's broken image:

alex@alexdesktop:/var/home/alex$ podman run -it ghcr.io/ublue-os/bazzite-nvidia@sha256:96db1b9520cbbdf24f137867b9da4ed6f4351b401be733ca54bfff0d1aa12de1 /bin/bash
bash-5.2# rpm -qa | grep sssd-client
sssd-client-2.10.1-1.fc41.x86_64

I'm not sure how we approach fixing this? Is there any point in the pipeline where we can run setcaps after the rechunking process? I was never able to find an actual changelog for what originally resolved the issue for #1818

[alexth4ef9]

#1818 was fixed by hhd-dev/rechunk@b83a6e5
That works for Fedora 41 up to sssd-2.10.0

[ABotelho23]

I've opened a PR with some functionality that I hope can fix setting capabilities for SSSD without breaking older versions

hhd-dev/rechunk#9

[ABotelho23]

A change has been merged in hhd-dev/rechunk#9 that should hopefully resolve the next image builds. Fingers crossed.

[rayrayrayraydog]

A change has been merged in hhd-dev/rechunk#9 that should hopefully resolve the next image builds. Fingers crossed.

Is there a test build with the fix yet?

[tbelway]

A change has been merged in hhd-dev/rechunk#9 that should hopefully resolve the next image builds. Fingers crossed.

Is there a test build with the fix yet?

Doesn't look like it, based on the bazzite releases changelogs.

:edit:

actually, looks like it should have been? Rechunk https://github.com/hhd-dev/rechunk/releases/tag/v1.0.2 should have the changes, and https://github.com/ublue-os/bazzite/releases/tag/41.20250106 shows rechunk is now at latest, but I tested an upgrade and it definitely didn't work... interesting...

:edit:

# SSSD fails to start
Jan 06 10:49:41 bdt.ipa.belway.me systemd[1]: Starting sssd.service - System Security Services Daemon...
Jan 06 10:49:41 bdt.ipa.belway.me sssd[2841]: Starting up
Jan 06 10:49:41 bdt.ipa.belway.me sssd_be[2871]: Starting up
Jan 06 10:49:41 bdt.ipa.belway.me sssd_be[2874]: Starting up
Jan 06 10:49:43 bdt.ipa.belway.me sssd_be[3052]: Starting up
Jan 06 10:49:47 bdt.ipa.belway.me sssd_be[3072]: Starting up
Jan 06 10:49:47 bdt.ipa.belway.me sssd[2841]: Exiting the SSSD. Could not restart critical service [ipa.belway.me].
Jan 06 10:49:47 bdt.ipa.belway.me systemd[1]: sssd.service: Main process exited, code=exited, status=1/FAILURE
Jan 06 10:49:47 bdt.ipa.belway.me systemd[1]: sssd.service: Failed with result 'exit-code'.
Jan 06 10:49:47 bdt.ipa.belway.me systemd[1]: Failed to start sssd.service - System Security Services Daemon.

# Current build
OSTREE_VERSION='41.20250106.0'
BUILD_ID="Stable (F41.20250106)"
BOOTLOADER_NAME="Bazzite Stable (F41.20250106)"

# Capabilities
getcap /usr/libexec/sssd/*
/usr/libexec/sssd/krb5_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/ldap_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/selinux_child cap_setgid,cap_setuid=p
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

[ABotelho23]

My desktop rebooted into ostree-image-signed:docker://ghcr.io/ublue-os/bazzite-gnome:41 version 41.20250106.3 and it was broken for me too.