[opensuse] systemd boot.local
12.3 client joined to AD Hi everyone This is my first battle with systemd so please be patient. It may not be systemd. I'm tired of having to work around this one. The clients need a root ticket on boot. Here's the content of /etc/init.d/boot.local sssd kinit -k -t /etc/krb5.keytab CATRAL$ Here is the content of the service file [Unit] Description=/etc/init.d/boot.local Compatibility After=network.target [Service] Type=oneshot ExecStart=/etc/init.d/boot.local TimeoutSec=0 RemainAfterExit=yes SysVStartPriority=99 This is krb5.conf [libdefaults] default_realm = HH3.SITE dns_lookup_realm = false dns_lookup_kdc = true Debug: - The KDC must be available because sssd gets a ticket and fires up fine which in turn means that the network must be up. - sssd is in /usr/local/sbin which I've added to roots path so the path must be set - DNS is OK. nslookup finds the KDC and in any case, we've already got a ticket for for another process. - If I run the script after boot, I get the ticket just fine. Question: Why doesn't the kinit work? Thanks L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2013-05-02 at 09:06 +0200, lynn wrote:
12.3 client joined to AD
Hi everyone This is my first battle with systemd so please be patient. It may not be systemd. I'm tired of having to work around this one.
The clients need a root ticket on boot. Here's the content of /etc/init.d/boot.local
sssd kinit -k -t /etc/krb5.keytab CATRAL$
Here is the content of the service file [Unit]
Hold on. /etc/init.d/boot.local has to be a bash script, not a systemd service file. And service files are started by systemd, not a boot script. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGCKLMACgkQtTMYHG2NR9WAzACfd67V5xMOpB75ujqgkpdNK+3H AykAniLV8Nh/HSB4ro71B3aQ98mKDh5R =F8o2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/05/13 10:49, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday, 2013-05-02 at 09:06 +0200, lynn wrote:
12.3 client joined to AD
Hi everyone This is my first battle with systemd so please be patient. It may not be systemd. I'm tired of having to work around this one.
The clients need a root ticket on boot. Here's the content of /etc/init.d/boot.local
sssd kinit -k -t /etc/krb5.keytab CATRAL$
Here is the content of the service file [Unit]
Hold on.
/etc/init.d/boot.local has to be a bash script, not a systemd service file.
And service files are started by systemd, not a boot script.
Our /etc/init.d/boot.local is a bash script. The rc.local service calls it. I posted that config file too. Cheers. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 02 May 2013 09:06:20 +0200 lynn <lynn@steve-ss.com> пишет:
12.3 client joined to AD
Hi everyone This is my first battle with systemd so please be patient. It may not be systemd. I'm tired of having to work around this one.
The clients need a root ticket on boot. Here's the content of /etc/init.d/boot.local
sssd kinit -k -t /etc/krb5.keytab CATRAL$
This command line is invalid, you need to escape $ using \$ or 'CATRAL$'.
Here is the content of the service file [Unit] Description=/etc/init.d/boot.local Compatibility After=network.target [Service] Type=oneshot ExecStart=/etc/init.d/boot.local TimeoutSec=0 RemainAfterExit=yes SysVStartPriority=99
This is krb5.conf [libdefaults] default_realm = HH3.SITE dns_lookup_realm = false dns_lookup_kdc = true
Debug: - The KDC must be available because sssd gets a ticket and fires up fine which in turn means that the network must be up. - sssd is in /usr/local/sbin which I've added to roots path so the path must be set - DNS is OK. nslookup finds the KDC and in any case, we've already got a ticket for for another process. - If I run the script after boot, I get the ticket just fine.
Question: Why doesn't the kinit work?
Thanks L x
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/05/13 12:31, Andrey Borzenkov wrote:
В Thu, 02 May 2013 09:06:20 +0200 lynn <lynn@steve-ss.com> пишет:
12.3 client joined to AD
Hi everyone This is my first battle with systemd so please be patient. It may not be systemd. I'm tired of having to work around this one.
The clients need a root ticket on boot. Here's the content of /etc/init.d/boot.local
sssd kinit -k -t /etc/krb5.keytab CATRAL$ This command line is invalid, you need to escape $ using \$ or 'CATRAL$'.
Hi Unfortunately no. You don't need to escape the $ at the end. Sanity check: /#bin/bash key=CATRAL$ echo $key The output is always: CATRAL$ whether you use key=CATRAL$, key='CATRAL$', key="CATRAL$" or CATRAL\$ Also tested on the actual script. I've just redone the keytab. Nada. Thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Did anyone else have 10 copies of this email (see below) in their inbox. I auto filter mine to another folder in which i had 10 copies of this email. regards Ian On Thursday 02 May 2013 09:06:20 lynn wrote:
12.3 client joined to AD
Hi everyone This is my first battle with systemd so please be patient. It may not be systemd. I'm tired of having to work around this one.
The clients need a root ticket on boot. Here's the content of /etc/init.d/boot.local
sssd kinit -k -t /etc/krb5.keytab CATRAL$
Here is the content of the service file [Unit] Description=/etc/init.d/boot.local Compatibility After=network.target [Service] Type=oneshot ExecStart=/etc/init.d/boot.local TimeoutSec=0 RemainAfterExit=yes SysVStartPriority=99
This is krb5.conf [libdefaults] default_realm = HH3.SITE dns_lookup_realm = false dns_lookup_kdc = true
Debug: - The KDC must be available because sssd gets a ticket and fires up fine which in turn means that the network must be up. - sssd is in /usr/local/sbin which I've added to roots path so the path must be set - DNS is OK. nslookup finds the KDC and in any case, we've already got a ticket for for another process. - If I run the script after boot, I get the ticket just fine.
Question: Why doesn't the kinit work?
Thanks L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
ianseeks wrote:
Did anyone else have 10 copies of this email (see below) in their inbox. I auto filter mine to another folder in which i had 10 copies of this email.
Just one copy here, but I think my newsserver will filter out duplicate message-ids. -- Per Jessen, Zürich (17.6°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 05/02/2013 03:06 AM:
Question: Why doesn't the kinit work?
I can think of lots of reasons --- and they all get back to what you haven't told us, the "Context is everything" stuff. Did you enable that service? Did you use systemctl to see if it had been attempted and failed? id you use the debug facilities that come with systemd? Did you look in the journal? Did you try adding logging to the script to see if it did execute at that time but failed? Systemd logs and traces everything it does, including stuff that it tries to do that fails. I;'m really disappointed with you in this instance, Lynn. You haven't even attempted to to the very basic investigations that are obvious from reading the man pages. -- Context is Everything -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/05/13 13:07, Anton Aylward wrote:
lynn said the following on 05/02/2013 03:06 AM:
Question: Why doesn't the kinit work?
Did you enable that service? No. It is a unit;)
Did you use systemctl to see if it had been attempted and failed? rc-local.service loaded active exited /etc/init.d/boot.local Compatibility
id you use the debug facilities that come with systemd? No. Did you look in the journal? Yes. Did you try adding logging to the script to see if it did execute at that time but failed? No.
Systemd logs and traces everything it does, including stuff that it tries to do that fails.
I;'m really disappointed with you in this instance, Lynn. You haven't even attempted to to the very basic investigations that are obvious from reading the man pages.
Thanks. Can anyone help? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 05/02/2013 07:51 AM:
On 02/05/13 13:07, Anton Aylward wrote:
lynn said the following on 05/02/2013 03:06 AM:
Question: Why doesn't the kinit work?
Did you enable that service? No. It is a unit;)
Did you use systemctl to see if it had been attempted and failed?
rc-local.service loaded active exited /etc/init.d/boot.local Compatibility
Eh? I thought you said it was a 'unit' Here's its a service.
id you use the debug facilities that come with systemd? No. Did you look in the journal? Yes.
And what did that report?
Did you try adding logging to the script to see if it did execute at that time but failed? No.
*sigh* That's so obvious! You don't know if sss failed or what. maybe sss needs some precondition that doesn't exist at 'boot time' Remember, systemd is asynchronous and runs stuff in parallel whereas the old sysinit is sequential. The example you have had one and only dependency, that networking is up and running. Just a side note: the .service for spamassassin I first had was like that, but spamassassin as I run it uses 'razor' and so it also needed named to be up and running. I also use the long list of exclusions from http://pgl.yoyo.org/ and that can take a while to load. So I had to make spamassassin.service dependent on named.service. I also needed to make the fetchmail service dependent on spamassassin. Oh and there was postfix which also needed named in order to be able to use spamassassin. All those .service files had to be updated on my system. So if something works from the command line and doesn't work from boot, you may well have an necessary precondition you've overlooked. That's why I'm so hot on checking logs and return code.
Systemd logs and traces everything it does, including stuff that it tries to do that fails.
I;'m really disappointed with you in this instance, Lynn. You haven't even attempted to to the very basic investigations that are obvious from reading the man pages.
Thanks. Can anyone help?
I have, bit it seems you've taken offence when I point at the basics. That's why I say I'm disappointed. -- The deepest sin against the human mind is to believe things without evidence. Thomas H. Huxley -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/05/13 14:31, Anton Aylward wrote:
*sigh* That's so obvious! You don't know if sss failed or what. maybe sss needs some precondition that doesn't exist at 'boot time' Remember, systemd is asynchronous and runs stuff in parallel whereas the old sysinit is sequential. sssd runs fine. Please look at the original post.
The network must be available when the script runs as sssd first has to hit the DNS before it then again goes over the wire to request a TGT which it then uses get the ticket for ldap. It produces its cache just fine. My workaround is to copy the sssd cache to /tmp and rename it krb5cc_0. I need a standard MIT cache for autofs'd cifs. If it's not there the user shares are not mounted. On the KDC, I can see the mechanism. The user authenticates OK but is refused a cifs ticket until the client machine authenticates. Just give me the kinit and I'll shut up. Honest. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 05/02/2013 12:31 PM:
On 02/05/13 14:31, Anton Aylward wrote:
*sigh* That's so obvious! You don't know if sss failed or what. maybe sss needs some precondition that doesn't exist at 'boot time' Remember, systemd is asynchronous and runs stuff in parallel whereas the old sysinit is sequential. sssd runs fine. Please look at the original post.
That's no justification for failing to to make sure that the script checks. You only said that it runs when you run it manually. My whole point was that running it manually means that things like DNS and other rpc services are now up.
The network must be available when the script runs as sssd first has to hit the DNS before it then again goes over the wire to request a TGT which it then uses get the ticket for ldap. It produces its cache just fine. My workaround is to copy the sssd cache to /tmp and rename it krb5cc_0.
I think you've jsut proven my point. Being dependent on just network services doesn't m1ean that DNS is available. That's what I got bitten on about spamassassin and why I included that note as an example. That is why I suggested the 'defensive programming' It would show you what was going on at boot time.
I need a standard MIT cache for autofs'd cifs. If it's not there the user shares are not mounted. On the KDC, I can see the mechanism. The user authenticates OK but is refused a cifs ticket until the client machine authenticates.
Just give me the kinit and I'll shut up. Honest.
The way you've set you the dependency systemd will run boot.local any time after the Ethernet port becomes live. This is not sysvinit, there is no defined sequence. It is, as i said, synchronous. It may not even have to work the same way each time :-) It almost certainly will try to run boot.local BEFORE DNS and other very basic network services are up. You might, based on what you've written above, also, and I mean also as in addition to what else I'm suggesting, make the cifs stuff, samba or whatever, dependent on boot.local. That way you're not going to get the cifst stuff unless and until kinit in boot.local runs, which is how I'm reading what you're saying above. I repeat: you need to set up your dependency properly. -- Marketing is the science of convincing us that What You Get Is What You Want. -- John Carter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 05/02/2013 03:06 AM:
12.3 client joined to AD
Hi everyone This is my first battle with systemd so please be patient. It may not be systemd. I'm tired of having to work around this one.
The clients need a root ticket on boot. Here's the content of /etc/init.d/boot.local
sssd kinit -k -t /etc/krb5.keytab CATRAL$
How about making that sssd || { logger "sshd failed at boot.local" ; exit 10 } kinit -k -t /etc/krb5.keytab CATRAL$ || { \ logger "kinit failed at boot.local"; \ exit 11 } it won't cost anything if all goes well and it will give you a better insight if things don't go well. Yes, I'm sully aware that you can set the shell with error handling, but this is logging of the where and what and individual exit codes. This kind of 'defensive programming' should be taken as "baseline good practice" throughout. Many people bemoan the change to systemd but if you look at the original sysvinit scripts they had expensive logging and testing for validity. Each one had to do it individually whereas systemd either absorbs that as a commonality or incorporates it into the structure. But once you get to 'customise' things you can't assume that systemd is some piece of AI that parses all you've written and figures stuff out. You do have to tell it about failures and dependencies. And you still have to write good shell code. Then and only then can you be sure that when you use the systemctl it is reporting correctly on that service. -- Don't think you are going to conceal thoughts by concealing evidence that they ever existed. Dwight D. Eisenhower, speech at Dartmouth College, June 14, 1953 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/05/13 16:03, Anton Aylward wrote:
lynn said the following on 05/02/2013 03:06 AM:
sssd kinit -k -t /etc/krb5.keytab CATRAL$
How about making that
sssd || { logger "sshd failed at boot.local" ; exit 10 } kinit -k -t /etc/krb5.keytab CATRAL$ || { \ logger "kinit failed at boot.local"; \ exit 11 } Yep. OK: sssd || { logger "sssd failed at boot.local"; exit 10; } kinit -k -t /etc/krb5.keytab CATRAL$ || { logger "kinit failed at boot.local"; exit 11; }
Nothing. I tested the error condition by moving the sssd and kinit binaries and rebooting, whereupon the error messages duly appeared in journalctl. At least we can take sssd out of the equation. That boots fine. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 05/02/2013 01:37 PM:
On 02/05/13 16:03, Anton Aylward wrote:
lynn said the following on 05/02/2013 03:06 AM:
sssd kinit -k -t /etc/krb5.keytab CATRAL$
How about making that
sssd || { logger "sshd failed at boot.local" ; exit 10 } kinit -k -t /etc/krb5.keytab CATRAL$ || { \ logger "kinit failed at boot.local"; \ exit 11 } Yep. OK: sssd || { logger "sssd failed at boot.local"; exit 10; } kinit -k -t /etc/krb5.keytab CATRAL$ || { logger "kinit failed at boot.local"; exit 11; }
Nothing. I tested the error condition by moving the sssd and kinit binaries and rebooting, whereupon the error messages duly appeared in journalctl.
At least we can take sssd out of the equation. That boots fine.
So migrate that 'kinit' into a script and do the same kind or metrication on that too. But first set up your dependencies properly! They way you have it set up ... see my other post.... -- The emphasis should be on "why" we do a job - W. Edwards Deming -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/05/13 21:56, Anton Aylward wrote:
lynn said the following on 05/02/2013 01:37 PM:
On 02/05/13 16:03, Anton Aylward wrote:
lynn said the following on 05/02/2013 03:06 AM:
sssd kinit -k -t /etc/krb5.keytab CATRAL$ How about making that
sssd || { logger "sshd failed at boot.local" ; exit 10 } kinit -k -t /etc/krb5.keytab CATRAL$ || { \ logger "kinit failed at boot.local"; \ exit 11 } Yep. OK: sssd || { logger "sssd failed at boot.local"; exit 10; } kinit -k -t /etc/krb5.keytab CATRAL$ || { logger "kinit failed at boot.local"; exit 11; }
Nothing. I tested the error condition by moving the sssd and kinit binaries and rebooting, whereupon the error messages duly appeared in journalctl.
At least we can take sssd out of the equation. That boots fine. So migrate that 'kinit' into a script and do the same kind or metrication on that too.
But first set up your dependencies properly! They way you have it set up ... see my other post....
Solved offlist. Will post solution here. We need: Requires=network.target in [Unit] Thanks. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Andrey Borzenkov -
Anton Aylward -
Carlos E. R. -
ianseeks -
lynn -
Per Jessen