On Mi, 28.05.25 16:51, Alexander Bokovoy (abokovoy@xxxxxxxxxx) wrote:
> > > socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
> > > connect(4, {sa_family=AF_UNIX, sun_path="/run/systemd/userdb/io.systemd.DynamicUser"}, 45) = 0
> > > socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 7
> > > connect(7, {sa_family=AF_UNIX, sun_path="/run/systemd/userdb/io.systemd.NamespaceResource"}, 51) = 0
> > > socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 8
> > > connect(8, {sa_family=AF_UNIX, sun_path="/run/systemd/userdb/io.systemd.DropIn"}, 40) = 0
> > > socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 9
> > > connect(9, {sa_family=AF_UNIX, sun_path="/run/systemd/userdb/io.systemd.Home"}, 38) = 0
> > > socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 10
> > > connect(10, {sa_family=AF_UNIX, sun_path="/run/systemd/userdb/io.systemd.Machine"}, 41) = 0
> >
> > Note sure I follow? This trace shows only systemd's own five userdb
> > implementations, none provided by sssd? And you used "-s systemd" on
> > the getent cmdline, hence you prohibit NSS to ever query anything else
> > but systemd's userdb.
>
> I limited communication to what is not working.
>
> >
> > hence of course you are not getting any sssd records, because you
> > don't have the userdb socket for it around, and you don't want the NSS
> > logic to talk to anything but userbd either?
>
> I think you are missing my point, indeed. What I am trying to say is that
>
> $ userdbctl groups-of-user --with-dropin=yes --multiplexer=yes --with-nss=yes abokovoy
> No memberships.
>
> is not expected behavior.
So are that "abokovoy" user, by what is it backed? by a native userdb
service? or by NSS?
I presume this has a native userdb api, because that's what we are
talking about here, no? Is that API implementing GetMemberships()
properly? What does "strace -s500 -y" of "userdbctl groups-of-user
--multiplexer=no abokovoy" actually show?
> Regardless what I try, userdbctl cannot see groups that I otherwise a
> member of via user lookup. This makes userdb API useless in the context
> I have and I want to understand what is not working here. Are you
> implying that something is incorrect in my usage of userdb API?
I still do not understand what your setup actually is, i.e. whether
the issue you are seeing is supposedly an issue with the synthesis of
userdb records from NSS records and your service only provides NSS, or
if your service implements the native userdb stuff and the memberships
are not listed properly.
Lennart
--
Lennart Poettering, Berlin
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
