SSSD Socket Errors after Upgrade to 5.2

boospy · May 25, 2025, 9:56am

After Upgrade from UCS 5.0 to 5.2 i get these socket errors on all nodes:

UNIT                 LOAD   ACTIVE SUB    DESCRIPTION                              
● sssd-nss.socket      loaded failed failed SSSD NSS Service responder socket
● sssd-pam-priv.socket loaded failed failed SSSD PAM Service responder private socket
● sssd-pam.socket      loaded failed failed SSSD PAM Service responder socket

But I guess this can be ignored? Would it be best to disable the sockets altogether with systemctl?

ulf.kosack · June 9, 2025, 10:04am

I have noticed the same error with me. Based on this bug description from Ubuntu it is not fatal, because the services are socket activated.

The processes still run on a server on which the services are not started.

root         796  0.0  0.4  95064 24540 ?        Ss   09:52   0:00 /usr/sbin/sssd -i --logger=files
root         984  0.0  0.5 106360 33376 ?        S    09:52   0:00  \_ /usr/libexec/sssd/sssd_be --domain intra.edvnet-uk.com --uid 0 --gid 0 --logger=files
root         985  0.0  0.5 105872 32828 ?        S    09:52   0:00  \_ /usr/libexec/sssd/sssd_be --domain nonposixldap --uid 0 --gid 0 --logger=files
root        1108  0.0  0.7 128224 47348 ?        S    09:52   0:00  \_ /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root        1109  0.0  0.4  94488 25664 ?        S    09:52   0:00  \_ /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root       26495  0.0  0.0   6704  2304 pts/0    S+   12:02   0:00  |   |   \_ grep --color=auto sssd

I have made the recommended change in my Univention template. As a result, I no longer have any failed services after starting.

--- /etc/univention/templates/files/etc/sssd/sssd.conf.bak      2025-06-09 12:00:14.612000000 +0200
+++ /etc/univention/templates/files/etc/sssd/sssd.conf  2025-06-09 11:55:42.792000000 +0200
@@ -16,7 +16,7 @@

 print('[sssd]')
 print('config_file_version = 2')
-print('services = nss, pam')
+print('#services = nss, pam')
 print('domains = %s, nonposixldap' % domainname)
 if os.path.exists('/var/www/ucsCA.crl'):
     print('certificate_verification = no_ocsp,soft_crl,crl_file=/var/www/ucsCA.crl')

ulf.kosack · June 9, 2025, 11:05am

The stupid thing is that there is then a template warning in the system diagnostics.

The better way, I think is only create this file:

cat <<EOF > /etc/sssd/conf.d/sssd_noservices.conf
# See
#    man sssd.conf
#    man sssd-ldap
#    man sssd-ldap-attributes
#
[sssd]
services =
EOF

[EDIT]
The file system rights have to be set:

chmod 600 /etc/sssd/conf.d/sssd_noservices.conf

With this the Univention template is unchanged and the option services is empty. Result: No failed services at startup.

boospy · June 11, 2025, 9:03pm

Nice That is working fine! Thx