[Freeipa-users] cron reports "ORPHAN (no passwd entry)" for the @reboot jobs

Lukas Slebodnik lslebodn at redhat.com
Tue May 3 08:21:46 UTC 2016 

On (03/05/16 07:35), Harald Dunkel wrote:
>Hi Lukas,
>
>On 05/02/16 17:59, Lukas Slebodnik wrote:
>> Could you provide output of "systemctl cat sssd.service"?
>> In my case, it should be started before nss-user-lookup.target
>> 
>>     # /usr/lib/systemd/system/sssd.service
>>     [Unit]
>>     Description=System Security Services Daemon
>>     # SSSD must be running before we permit user sessions
>>     Before=systemd-user-sessions.service nss-user-lookup.target
>>     Wants=nss-user-lookup.target
>> 
>>     [Service]
>>     EnvironmentFile=-/etc/sysconfig/sssd
>>     ExecStart=/usr/sbin/sssd -D -f
>>     # These two should be used with traditional UNIX forking daemons
>>     # consult systemd.service(5) for more details
>>     Type=forking
>>     PIDFile=/var/run/sssd.pid
>> 
>>     [Install]
>>     WantedBy=multi-user.target
>
>I got
>
>	# /lib/systemd/system/sssd.service
>	[Unit]
>	Description=System Security Services Daemon
>	# SSSD must be running before we permit user sessions
>	Before=systemd-user-sessions.service nss-user-lookup.target
>	Wants=nss-user-lookup.target
>
>	[Service]
>	EnvironmentFile=-/etc/sysconfig/sssd
>	ExecStart=/usr/sbin/sssd -D -f
>	# These two should be used with traditional UNIX forking daemons
>	# consult systemd.service(5) for more details
>	Type=forking
>	PIDFile=/var/run/sssd.pid
>
>	[Install]
>	WantedBy=multi-user.target
>
>Except for the first comment line diff doesn't show a
>difference.
>
>Maybe there is a misunderstanding: IMHO its not sufficient to start
>sssd before systemd-user-sessions.service and nss-user-lookup.target.
>sssd and all its internal sssd_something services must have
>completed their initialization (including the user database) before
>these services can be started.
>
>Here is the output of "ps -ef", created by the "@reboot" crontab
>entry:
>
>UID         PID   PPID  C STIME TTY          TIME CMD
>root          1      0  0 14:27 ?        00:00:00 /sbin/init
>root         23      1  0 14:27 ?        00:00:00 /lib/systemd/systemd-journald
>root        159      1  0 14:28 ?        00:00:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
>daemon      193      1  0 14:28 ?        00:00:00 /usr/sbin/atd -f
>root        194      1  0 14:28 ?        00:00:00 /usr/sbin/cron -f
>root        195      1  0 14:28 ?        00:00:00 /usr/sbin/ModemManager
>root        198      1  0 14:28 ?        00:00:00 /usr/sbin/inetd -i
>root        199      1  0 14:28 ?        00:00:00 /usr/sbin/sshd -D
>root        200      1  0 14:28 ?        00:00:00 lldpd: monitor
>root        201      1  0 14:28 ?        00:00:00 /usr/sbin/sssd -D -f
>message+    206      1  0 14:28 ?        00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
>lp          218      1  0 14:28 ?        00:00:00 /usr/sbin/lpd -s
>root        220      1  0 14:28 ?        00:00:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -c /var/lib/ntp/ntp.conf.dhcp -u 112:121
>root        226      1  0 14:28 ?        00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
>root        227      1  0 14:28 ?        00:00:00 /usr/sbin/rsyslogd -n
>_lldpd      229    200  0 14:28 ?        00:00:00 lldpd: no neighbor
>root        262      1  0 14:28 ?        00:00:00 /usr/lib/policykit-1/polkitd --no-debug
>root        263    194  0 14:28 ?        00:00:00 /usr/sbin/CRON -f
>zabbix      271      1  0 14:28 ?        00:00:00 /usr/sbin/zabbix_agentd
>zabbix      274    271  0 14:28 ?        00:00:00 /usr/sbin/zabbix_agentd: collector [idle 1 sec]
>zabbix      275    271  0 14:28 ?        00:00:00 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection]
>zabbix      276    271  0 14:28 ?        00:00:00 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection]
>zabbix      277    271  0 14:28 ?        00:00:00 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection]
>zabbix      278    271  0 14:28 ?        00:00:00 /usr/sbin/zabbix_agentd: active checks #1 [idle 1 sec]
>root        492    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root        502    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>Debian-+    504      1  0 14:28 ?        00:00:00 /usr/sbin/exim4 -bd -q30m
>root        505    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root        506    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root        507    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root        508    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root        509    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root        510    263  0 14:28 ?        00:00:00 /bin/sh -c ( ps -ef; ls -al /home ) >/var/tmp/ls.log
>root        511    510  0 14:28 ?        00:00:00 /bin/sh -c ( ps -ef; ls -al /home ) >/var/tmp/ls.log
>root        512    201  0 14:28 ?        00:00:00 /usr/sbin/sssd -D -f
>root        515    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root        516    511  0 14:28 ?        00:00:00 ps -ef
>root        517    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root        518    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root        519    512  0 14:28 ?        00:00:00 /usr/sbin/sssd -D -f
>root        520    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root        521    226  0 14:28 ?        00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>
>Please note that the sssd_* jobs are missing, and yet the
>cron service has been started to run this cron job.
>
But that's not a problem of sssd. It bug in cron service file.
If cron relies on user lookup then it shoudl not be started before
nss-user-lookup.target.

Fedora has correct service file for crond.

    sh$ systemctl cat crond.service
    # /usr/lib/systemd/system/crond.service
    [Unit]
    Description=Command Scheduler
    After=auditd.service nss-user-lookup.target systemd-user-sessions.service
    time-sync.target ypbind.service

    [Service]
    EnvironmentFile=/etc/sysconfig/crond
    ExecStart=/usr/sbin/crond -n $CRONDARGS
    ExecReload=/bin/kill -HUP $MAINPID
    KillMode=process

    [Install]
    WantedBy=multi-user.target

Debian has quite minimal version
    sh$ systemctl cat cron.service
    # /lib/systemd/system/cron.service
    [Unit]
    Description=Regular background program processing daemon
    Documentation=man:cron(8)

    [Service]
    EnvironmentFile=-/etc/default/cron
    ExecStart=/usr/sbin/cron -f $EXTRA_OPTS
    IgnoreSIGPIPE=false
    KillMode=process

    [Install]
    WantedBy=multi-user.target

You can create your custom version in
/etc/systemd/system/cron.service
but do not forget to call "systemctl daemon-reload"

LS

More information about the Freeipa-users mailing list