sssd-2.9.5 fails to run when built against samba-4.21.0 instead of ldb-2.9.1

[tgurr]

samba 4.21.0 was built with --private-libraries='!ldb' as mentioned in the upstream release notes (https://www.samba.org/samba/history/samba-4.21.0.html). building sssd-2.9.5 against that samba also works without any issue, but on runtime the systemd service fails to start. When reverting back to the standalone ldb-2.9.1 and rebuilding sssd against that instead things start to work again as well.

I couldn't find anything obvious in the logs, and there are some red herrings with different other warnings but they're the same so I guess they're unrelated to my problem here.

The only obvious difference is: ldb-2.9.1: (2024-09-05 17:25:02): [sssd] [sysdb_cache_connect_helper] (0x0020): sysdb_ldb_connect failed. samba-4.21.0: (2024-09-05 17:11:56): [sssd] [sysdb_ldb_reconnect] (0x0020): sysdb_ldb_connect failed. however as I also get them with ldb-2.9.1 it may be one of said red herrings.

working (ldb-2.9.1/sssd-2.9.5) sssd.log:

[...]
   *  [sssd] [confdb_expand_app_domains] (0x2000): DOMAIN is not an app domain
   *  [sssd] [confdb_init_domain_pwd_expire] (0x1000): pwd_expiration_warning is -1
   *  [sssd] [server_setup] (0x0080): Failed setting process group: Operation not permitted[1]. We might leak processes in case of failure
   *  [sssd] [become_user] (0x0200): Trying to become user [0][0].
   *  [sssd] [become_user] (0x0200): Already user [0].
   *  [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
   *  (2024-09-05 17:25:02): [sssd] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
   *  (2024-09-05 17:25:02): [sssd] [confdb_init_domain_pwd_expire] (0x1000): pwd_expiration_warning is -1
   *  (2024-09-05 17:25:02): [sssd] [sysdb_ldb_connect] (0x4000): No ldb module path set in env
   *  (2024-09-05 17:25:02): [sssd] [sss_names_init_from_args] (0x0100): Using re [^((?P<name>.+)@(?P<domain>[^@]+)|(?P<name>[^@]+))$].
   *  (2024-09-05 17:25:02): [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
   *  (2024-09-05 17:25:02): [sssd] [sysdb_domain_init_internal] (0x0200): DB File for DOMAIN: /var/lib/sss/db/cache_DOMAIN.ldb
   *  (2024-09-05 17:25:02): [sssd] [sysdb_domain_init_internal] (0x0200): Timestamp file for DOMAIN: /var/lib/sss/db/timestamps_DOMAIN.ldb
   *  (2024-09-05 17:25:02): [sssd] [sysdb_ldb_connect] (0x4000): No ldb module path set in env
   *  (2024-09-05 17:25:02): [sssd] [ldb] (0x0010): WARNING: Module [memberof] not found - do you need to set LDB_MODULES_PATH?
********************** BACKTRACE DUMP ENDS HERE *********************************

(2024-09-05 17:25:02): [sssd] [ldb] (0x0010): Unable to load modules for /var/lib/sss/db/cache_DOMAIN.ldb: (null)
   *  ... skipping repetitive backtrace ...
(2024-09-05 17:25:02): [sssd] [sysdb_cache_connect_helper] (0x0020): sysdb_ldb_connect failed.
(2024-09-05 17:25:02): [sssd] [sysdb_domain_init_internal] (0x0020): Could not open the sysdb cache [5]: Eingabe-/Ausgabefehler
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2024-09-05 17:25:02): [sssd] [sysdb_cache_connect_helper] (0x0020): sysdb_ldb_connect failed.
   *  (2024-09-05 17:25:02): [sssd] [sysdb_domain_init_internal] (0x0020): Could not open the sysdb cache [5]: Eingabe-/Ausgabefehler
********************** BACKTRACE DUMP ENDS HERE *********************************

(2024-09-05 17:25:02): [sssd] [sysdb_init_ext] (0x0020): Cannot connect to database for DOMAIN: [5]: Eingabe-/Ausgabefehler
(2024-09-05 17:33:19): [sssd] [server_setup] (0x3f7c0): Starting with debug level = 0x0070
(2024-09-05 17:33:36): [sssd] [monitor_quit_signal] (0x3f7c0): Monitor received Beendet: terminating children
(2024-09-05 17:33:36): [sssd] [monitor_quit] (0x3f7c0): Returned with: 0
(2024-09-05 17:33:36): [sssd] [monitor_quit] (0x3f7c0): Terminating [pam][69740]
(2024-09-05 17:33:36): [sssd] [monitor_quit] (0x3f7c0): Child [pam] exited gracefully
(2024-09-05 17:33:36): [sssd] [monitor_quit] (0x3f7c0): Terminating [nss][69739]
(2024-09-05 17:33:36): [sssd] [monitor_quit] (0x3f7c0): Child [nss] exited gracefully
(2024-09-05 17:33:36): [sssd] [monitor_quit] (0x3f7c0): Terminating [DOMAIN][69738]
(2024-09-05 17:33:36): [sssd] [monitor_quit] (0x3f7c0): Child [DOMAIN] exited gracefully
(2024-09-05 17:33:58): [sssd] [server_setup] (0x3f7c0): Starting with debug level = 0x0070

# systemctl status sssd
● sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/x86_64-pc-linux-gnu/lib/systemd/system/sssd.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-09-05 17:33:58 CEST; 21h ago
 Invocation: 1f7e9ccefc404ea7bc71fb2530c81d61
   Main PID: 378 (sssd)
      Tasks: 4 (limit: 18749)
     Memory: 141.8M (peak: 247.2M swap: 17.5M swap peak: 18.2M)
        CPU: 6min 33.907s
     CGroup: /system.slice/sssd.service
             ├─378 /usr/x86_64-pc-linux-gnu/bin/sssd -i --logger=files
             ├─426 /usr/x86_64-pc-linux-gnu/libexec/sssd/sssd_be --domain DOMAIN --uid 0 --gid 0 --logger=files
             ├─427 /usr/x86_64-pc-linux-gnu/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             └─428 /usr/x86_64-pc-linux-gnu/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Sep 05 17:33:58 localhost systemd[1]: Starting sssd.service - System Security Services Daemon...
Sep 05 17:33:58 localhost sssd[378]: Starting up
Sep 05 17:33:58 localhost sssd_be[426]: Starting up
Sep 05 17:33:58 localhost sssd_nss[427]: Starting up
Sep 05 17:33:58 localhost sssd_pam[428]: Starting up
Sep 05 17:33:58 localhost systemd[1]: Started sssd.service - System Security Services Daemon.
Sep 05 17:33:59 localhost sssd_be[426]: Backend is offline
Sep 05 17:34:01 localhost sssd_be[426]: Backend is online

broken (samba-4.21.0/sssd-2.9.5) sssd.log:

[...]
   *  [sssd] [confdb_expand_app_domains] (0x2000): DOMAIN is not an app domain
   *  [sssd] [confdb_init_domain_pwd_expire] (0x1000): pwd_expiration_warning is -1
   *  [sssd] [server_setup] (0x0080): Failed setting process group: Operation not permitted[1]. We might leak processes in case of failure
   *  [sssd] [become_user] (0x0200): Trying to become user [0][0].
   *  [sssd] [become_user] (0x0200): Already user [0].
   *  [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
   *  (2024-09-05 17:11:56): [sssd] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
   *  (2024-09-05 17:11:56): [sssd] [confdb_init_domain_pwd_expire] (0x1000): pwd_expiration_warning is -1
   *  (2024-09-05 17:11:56): [sssd] [sysdb_ldb_connect] (0x4000): No ldb module path set in env
   *  (2024-09-05 17:11:56): [sssd] [sss_names_init_from_args] (0x0100): Using re [^((?P<name>.+)@(?P<domain>[^@]+)|(?P<name>[^@]+))$].
   *  (2024-09-05 17:11:56): [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
   *  (2024-09-05 17:11:56): [sssd] [sysdb_domain_init_internal] (0x0200): DB File for DOMAIN: /var/lib/sss/db/cache_DOMAIN.ldb
   *  (2024-09-05 17:11:56): [sssd] [sysdb_domain_init_internal] (0x0200): Timestamp file for DOMAIN: /var/lib/sss/db/timestamps_DOMAIN.ldb
   *  (2024-09-05 17:11:56): [sssd] [sysdb_ldb_connect] (0x4000): No ldb module path set in env
   *  (2024-09-05 17:11:56): [sssd] [sysdb_ldb_connect] (0x4000): No ldb module path set in env
   *  (2024-09-05 17:11:56): [sssd] [ldb] (0x0010): WARNING: Module [memberof] not found - do you need to set LDB_MODULES_PATH?
********************** BACKTRACE DUMP ENDS HERE *********************************

(2024-09-05 17:11:56): [sssd] [ldb] (0x0010): Unable to load modules for /var/lib/sss/db/cache_DOMAIN.ldb: (null)
   *  ... skipping repetitive backtrace ...
(2024-09-05 17:11:56): [sssd] [sysdb_ldb_reconnect] (0x0020): sysdb_ldb_connect failed.
(2024-09-05 17:11:56): [sssd] [sysdb_domain_init_internal] (0x0020): Could not open the sysdb cache [5]: Eingabe-/Ausgabefehler
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2024-09-05 17:11:56): [sssd] [sysdb_ldb_reconnect] (0x0020): sysdb_ldb_connect failed.
   *  (2024-09-05 17:11:56): [sssd] [sysdb_domain_init_internal] (0x0020): Could not open the sysdb cache [5]: Eingabe-/Ausgabefehler
********************** BACKTRACE DUMP ENDS HERE *********************************

(2024-09-05 17:11:56): [sssd] [sysdb_init_ext] (0x0020): Cannot connect to database for DOMAIN: [5]: Eingabe-/Ausgabefehler

# systemctl status sssd.service 
× sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/x86_64-pc-linux-gnu/lib/systemd/system/sssd.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Fri 2024-09-06 14:27:02 CEST; 12min ago
 Invocation: 38a446f5d8df425aa7ee9dbd1a4c0c14
    Process: 235 ExecStart=/usr/x86_64-pc-linux-gnu/bin/sssd -i ${DEBUG_LOGGER} (code=exited, status=3)
   Main PID: 235 (code=exited, status=3)
   Mem peak: 16.4M
        CPU: 24ms

Sep 06 14:27:02 hnexherbodesk systemd[1]: Starting sssd.service - System Security Services Daemon...
Sep 06 14:27:02 hnexherbodesk sssd[235]: Could not create private keyring session. If you store password there they may be easily accessible to the root user. (38, Function not implemented)
Sep 06 14:27:02 hnexherbodesk sssd[235]: Could not set permissions on private keyring. If you store password there they may be easily accessible to the root user. (38, Function not implemented)
Sep 06 14:27:02 hnexherbodesk sssd[235]: Starting up
Sep 06 14:27:02 hnexherbodesk systemd[1]: sssd.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
Sep 06 14:27:02 hnexherbodesk systemd[1]: sssd.service: Failed with result 'exit-code'.
Sep 06 14:27:02 hnexherbodesk systemd[1]: Failed to start sssd.service - System Security Services Daemon.

[alexey-tikhonov]

Just for the record:

working (ldb-2.9.1/sssd-2.9.5) sssd.log: [sssd] [ldb] (0x0010): WARNING: Module [memberof] not found - do you need to set LDB_MODULES_PATH?

-- this also looks "broken".

[alexey-tikhonov]

Is memberof.so installed on your system?

Typical path, depending on your OS, could be /usr/lib64/ldb/modules/ldb/memberof.so

[tgurr]

Is memberof.so installed on your system?

Typical path, depending on your OS, could be /usr/lib64/ldb/modules/ldb/memberof.so

I have /usr/x86_64-pc-linux-gnu/lib/ldb/memberof.so which got installed by sssd:

# cave owner /usr/x86_64-pc-linux-gnu/lib/ldb/memberof.so 
sys-auth/sssd-2.9.5-r1::installed

With samba-4.21.0 I have just:

# ls -la /usr/x86_64-pc-linux-gnu/lib | grep ldb
drwxr-xr-x   2 root root      4096  6. Sep 13:56 ldb
lrwxrwxrwx   1 root root        16  6. Sep 13:55 libldb.so -> libldb.so.2.10.0
lrwxrwxrwx   1 root root        16  6. Sep 13:55 libldb.so.2 -> libldb.so.2.10.0
-rwxr-xr-x   1 root root    227496  6. Sep 13:55 libldb.so.2.10.0

# ls -la /usr/x86_64-pc-linux-gnu/lib/ldb
insgesamt 244
drwxr-xr-x  2 root root   4096  6. Sep 13:56 .
drwxr-xr-x 88 root root 172032  6. Sep 14:17 ..
-rwxr-xr-x  1 root root  68888  6. Sep 13:56 memberof.so

While with ldb-2.9.1 I have:

# ls -la /usr/x86_64-pc-linux-gnu/lib | grep ldb
drwxr-xr-x   2 root root      4096  5. Sep 17:31 ldb
lrwxrwxrwx   1 root root        15  5. Sep 17:30 libldb.so -> libldb.so.2.9.1
lrwxrwxrwx   1 root root        15  5. Sep 17:30 libldb.so.2 -> libldb.so.2.9.1
-rwxr-xr-x   1 root root    225488  5. Sep 17:30 libldb.so.2.9.1
lrwxrwxrwx   1 root root        51  5. Sep 17:30 libpyldb-util.cpython-312-x86-64-linux-gnu.so -> libpyldb-util.cpython-312-x86-64-linux-gnu.so.2.9.1
lrwxrwxrwx   1 root root        51  5. Sep 17:30 libpyldb-util.cpython-312-x86-64-linux-gnu.so.2 -> libpyldb-util.cpython-312-x86-64-linux-gnu.so.2.9.1
-rwxr-xr-x   1 root root     22768  5. Sep 17:30 libpyldb-util.cpython-312-x86-64-linux-gnu.so.2.9.1

# ls -la /usr/x86_64-pc-linux-gnu/lib/ldb
insgesamt 700
drwxr-xr-x   2 root root   4096  5. Sep 17:31 .
drwxr-xr-x 187 root root 307200  6. Sep 14:33 ..
-rwxr-xr-x   1 root root  14728  5. Sep 17:30 asq.so
-rwxr-xr-x   1 root root  23280  5. Sep 17:30 ldap.so
-rwxr-xr-x   1 root root  14488  5. Sep 17:30 ldb.so
-rwxr-xr-x   1 root root  28392  5. Sep 17:30 libldb-cmdline.so
-rwxr-xr-x   1 root root  89496  5. Sep 17:30 libldb-key-value.so
-rwxr-xr-x   1 root root  14472  5. Sep 17:30 libldb-tdb-err-map.so
-rwxr-xr-x   1 root root  23136  5. Sep 17:30 libldb-tdb-int.so
-rwxr-xr-x   1 root root  68888  5. Sep 17:31 memberof.so
-rwxr-xr-x   1 root root  18888  5. Sep 17:30 paged_searches.so
-rwxr-xr-x   1 root root  22992  5. Sep 17:30 rdn_name.so
-rwxr-xr-x   1 root root  14720  5. Sep 17:30 sample.so
-rwxr-xr-x   1 root root  18840  5. Sep 17:30 server_sort.so
-rwxr-xr-x   1 root root  14640  5. Sep 17:30 skel.so
-rwxr-xr-x   1 root root  14456  5. Sep 17:30 tdb.so

[tgurr]

Ah just found the missing ones with samba-4.21.0 at:

/usr/x86_64-pc-linux-gnu/lib/samba/ldb/
insgesamt 228
drwxr-xr-x 2 root root  4096  6. Sep 13:55 .
drwxr-xr-x 7 root root 12288  6. Sep 13:55 ..
-rwxr-xr-x 1 root root 14440  6. Sep 13:55 asq.so
-rwxr-xr-x 1 root root 26728  6. Sep 13:55 ildap.so
-rwxr-xr-x 1 root root 22632  6. Sep 13:55 ldap.so
-rwxr-xr-x 1 root root 18456  6. Sep 13:55 ldbsamba_extensions.so
-rwxr-xr-x 1 root root 14360  6. Sep 13:55 ldb.so
-rwxr-xr-x 1 root root 18560  6. Sep 13:55 paged_searches.so
-rwxr-xr-x 1 root root 22632  6. Sep 13:55 rdn_name.so
-rwxr-xr-x 1 root root 14520  6. Sep 13:55 sample.so
-rwxr-xr-x 1 root root 14440  6. Sep 13:55 server_sort.so
-rwxr-xr-x 1 root root 14440  6. Sep 13:55 skel.so
-rwxr-xr-x 1 root root 14360  6. Sep 13:55 tdb.so

which also appears to match the location of installed files from the Debian package: https://debian.pkgs.org/sid/debian-main-amd64/libldb2_2.10.0+samba4.21.0+dfsg-1_amd64.deb.html

Edit: manually moving over the /usr/x86_64-pc-linux-gnu/lib/ldb/memberof.so to /usr/x86_64-pc-linux-gnu/lib/samba/ldb/ allows sssd to start up again. Thanks for the hint, looking at our package I can probably just adjust the path via --with-ldb-lib-dir. Sorry for the noise.

[tgurr]

Adjusting the path via --with-ldb-lib-dir for sssd (to /usr/x86_64-pc-linux-gnu/lib/samba/ldb/) worked (https://gitlab.exherbo.org/exherbo/net/-/commit/8a8ad2ecfe7d41d58c0536948bf1dde0d03f7a27). Sorry for wasting your time, hopefully it might at least help someone else running into this.