From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id OKzpDqK1FWJ6IwEAgWs5BA (envelope-from ) for ; Wed, 23 Feb 2022 05:18:42 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id sAmBC6K1FWItUgAAauVa8A (envelope-from ) for ; Wed, 23 Feb 2022 05:18:42 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A927D3560A for ; Wed, 23 Feb 2022 05:18:41 +0100 (CET) Received: from localhost ([::1]:44184 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nMj6u-000489-Qr for larch@yhetil.org; Tue, 22 Feb 2022 23:18:40 -0500 Received: from eggs.gnu.org ([209.51.188.92]:45424) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nMj6h-00047b-TQ for guix-devel@gnu.org; Tue, 22 Feb 2022 23:18:27 -0500 Received: from [2607:f8b0:4864:20::433] (port=41890 helo=mail-pf1-x433.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nMj6f-00074L-KC for guix-devel@gnu.org; Tue, 22 Feb 2022 23:18:27 -0500 Received: by mail-pf1-x433.google.com with SMTP id p8so14150691pfh.8 for ; Tue, 22 Feb 2022 20:18:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:user-agent:mime-version; bh=zxOb3OOsnoExgivke0aLi3IP2noDY9rCzLHB5mxXCvs=; b=lmcIcu7dSJL2rnMRGulB/eimboqPEAgy0iVZjyT+2DdWk6NESB99JOz13tWLzP/N6J L0Ddr/M0Hl3lc3BgFhBln87WcJk2UxAYzUbMaLgCmtOZV/GqDWSNH8sXQdamYw+qAVy5 20nKdYDhDXRhF2uDnU2VH8LuLROj2SC3G8G3xeDSb+MytmdthJvLc5wnhLAjivTIVj8J p8o9xcXXP68IMnvaJOzcW6jfppvda7SVBwuTk7uMB0gXxHjuyDRI5cRJWn2bLBXJ6CLE 22XB41ofXSkLtQp0fWl6n4DiBPWhUBv1SPhH2okZpzdaPFIzC1KXYXEg/whQ9Hr0YqzF nurQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version; bh=zxOb3OOsnoExgivke0aLi3IP2noDY9rCzLHB5mxXCvs=; b=T3nPcmAGNj7BCdzWh+XktS8irXgRaJp4okaQ5Ej7EuRc/dhg+/5hrTYFzItkVCKRt2 iiMldaRDbaSVtc2gBpl1xOeb8+1AyWBtJsnw6EuP4gqThtK5DKYRnxPPRYrPW1yx6txs L+FVLk8NY37bp2NKN5gZ9fl0Cp46ldybExac1XUij5aZlEMKoLHewFRh6y+3u5su8jQe Z+nb2/S5UmHOMcTqJFODa5jRs8keYpvcClnsJ3WU4Z1yX4vZjvz1+H8it084XdB9gBJ+ IB93qcj7lUZnCfQpHbN5YaOa79YuuoqzoCwMqaesRfX844dyKoQte47HxrJct+71oEDP j5Lg== X-Gm-Message-State: AOAM530iObXKVIPi48R/Q/UZ4jhIyQZjfLTODVbP5tUZu7yqKlwl953Z ZXqYLi4CVFgedvEo5IagnBPOLSr31N4= X-Google-Smtp-Source: ABdhPJyVsUp7RUEMVoV1ZJmf1tmyqBBtFwJ+zdoHL+MKZ0pzLiXuivJjFYmxvgoVfL4wHFV1SvvbOA== X-Received: by 2002:aa7:8643:0:b0:4d1:d068:ef15 with SMTP id a3-20020aa78643000000b004d1d068ef15mr27845291pfo.9.1645589902159; Tue, 22 Feb 2022 20:18:22 -0800 (PST) Received: from fedora ([2601:601:9d82:820:fd4f:4637:97f9:ab06]) by smtp.gmail.com with ESMTPSA id d18sm19496380pfv.204.2022.02.22.20.18.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Feb 2022 20:18:21 -0800 (PST) From: Chris Marusich To: guix-devel@gnu.org Subject: How to use Guix with sssd, not nscd, on a foreign distro? Date: Tue, 22 Feb 2022 20:18:16 -0800 Message-ID: <87y222usfr.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Host-Lookup-Failed: Reverse DNS lookup failed for 2607:f8b0:4864:20::433 (failed) Received-SPF: pass client-ip=2607:f8b0:4864:20::433; envelope-from=cmmarusich@gmail.com; helo=mail-pf1-x433.google.com X-Spam_score_int: -6 X-Spam_score: -0.7 X-Spam_bar: / X-Spam_report: (-0.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.659, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1645589922; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=zxOb3OOsnoExgivke0aLi3IP2noDY9rCzLHB5mxXCvs=; b=p/eAYuW0WUsXYNtULy9tcrcq6CHtQJPTUQ2C489tZxTfxrs1Ioe4lGuEEXUJQ9vUi4HscD yVTo11/Et8woQ6I0SQHRPM5+eWvSbylRpLgFRC1lZox80/r73iN0wzyUb4Ro2xxlfpqUgi MhwrTv/uGvibf7xJ04Zu08RPi+3oy22gt7ZjYea2VHxHDITAtripOBxcOgbTzG+k0IPXKx wkfk9SX/1N6cDbws3gX+WY+jqCHu3/gUmhZQ+aXjBqUd/mhObhKCLSgwZ3bGO8ZxiYh/Vv 3kjNKS5yTO/Vx34S1YGoMzaTSbgdYjVct/rFs++UZCm4SGOirpkIB+V5pwkLHw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1645589922; a=rsa-sha256; cv=none; b=BJGrikukGXpYFa9bbsfBmgQh0uhDYRMc5L3Jodv3aXudBlCrhV++yPEFWjCPA2JWWyMRBz NmG1rIo951o20LAkmEotnyZwf44jAdnXAy8SUZFVSq5RFPjCvB+82YoklFakVUyQyrXrdm yPs69zPVEXsJimwMrGJtOY17cFt6DOcldYeN0sGiePw+UWvqOicB6Ars7zH0pWkIK6BBmh 0WvrbhYt9zKAnC+1rNzXH12v0pMmEyKhWWuoeq/6ibNn+vb2JZSnNOsueBDn+LaaO/3JmX miQnjmqP2MoAigc+TrDxO0smAtazQVOzkctIBV9E7cYTlzMLHG7uWUwc82Rnew== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=lmcIcu7d; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -4.93 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=lmcIcu7d; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: A927D3560A X-Spam-Score: -4.93 X-Migadu-Scanner: scn1.migadu.com X-TUID: i+fD6nGqifwV --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, The Guix manual recommends running nscd: https://guix.gnu.org/manual/en/html_node/Application-Setup.html However, Fedora intends to remove it: https://fedoraproject.org/wiki/Changes/RemoveNSCD The document says: "The hosts cache will automatically be replaced by the one provided by systemd-resolved. However, in order to restore caching functionality for other caches provided by nscd, the system administrator will need to install and/or configure sssd (by enabling sssd with authconfig, and editing /etc/sssd/sssd.conf to enable it to work with nss)." This poses a problem for people who use Fedora, like myself. I tried to set up sssd on my Fedora machine, but I couldn't get it to work. Let's take a step back. Why does the Guix manual recommend using nscd? The Guix manual explains why in the link above. To rephrase the manual, my understanding is that if nscd is available, then a program using glibc will "try to use nscd" first. However, if nscd is not available, then the program will attempt to dlopen shared objects, and in some cases the program might dlopen an incompatible shared object from the foreign distro (e.g., libnss_*.so files on Fedora, which may be incompatible with the glibc used by a program that Guix built). The Fedora document explains that at least the hosts cache will be handled by systemd-resolved. Can I expect Guix-built programs to "try to use systemd" when resolving host names, or is additional configuration likely to be required? Regarding sssd specifically, how can I arrange for a Guix-built program to "try to use sssd" first? I know that the specific steps for how to do this on Fedora might be different from other systems. For example, maybe on Fedora there is some fancy authselect/authconfig thing you can do to configure everything more easily. That's fine, and I will figure out what to do at a higher level as needed. However, for now I just want to know the very basics: fundamentally, what configuration needs to exist in order to ensure that Guix-built programs will "use" sssd, in the same way that they would "use" nscd? I want to avoid the kind of problems that the manual discusses, but I want to do it with sssd. I believe this will require changes to /etc/nsswitch.conf, as well as configuration for sssd. Anything else? I have never written sssd configuration files, and the sssd manual was not very approachable for me, so I'm starting from essentially zero knowledge about sssd. It seems rather complex. Has anyone tried setting up sssd and configuring nsswitch to use it, in order to avoid the kinds of issues that the Guix manual discusses? Any tips would be welcome. Maybe I should just switch back to Guix System and avoid this headache, but I think there are lots of people out there who use Fedora, so it would be good for Guix adoption if we can have a recommended solution ready for people who are curious to try Guix on Fedora. =2D-=20 Chris PGP: https://savannah.gnu.org/people/viewgpg.php?user_id=3D106836 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAmIVtYgVHGNtbWFydXNp Y2hAZ21haWwuY29tAAoJEN1AmhXYIkada5cP/R4GpdT/sMi18nvt+v336JCp6jyx CancscHSDy3Y9vH62L9mxsUyhJ0tQ4BpDdR34gDUxSXw3OYzEeJRqULd+XJz2cE2 tHIfRBu2w76EGzQ+SW2s9jVvnj/zKAVhs9km1FjWo5PhQ9RcsDIHZ8N13vA8HCcS Vt7sayEvFSBf8hLufC1Fu2vKJJEZXisBtRgz9wsv7rSRSrIBHrBBEIwnzASjcw23 0sOq1FYl8Bh0AdlV1clJBaaBK0vZUL3g/4dg9dmIJJgEcXuHX76KdXfuvuWNRidV RM3dzcRyJ/1lmO2bLicdTNtKwbazHE3+knwdgKLPPaUPmjhvdlifiiZsiv48q9Zt dYHlBOsculwGLHo2Bc3x1yShZQ7bBcb8N+/4qczCU2s51oor2kTLl03tv4xK6ytW S3nMdCvb/ha5lVC4PfIsqViUWN1FEdZe30rWFV+HgMc0dAyQeWqjQEMSwJHvzeos PiFXMfDp5RVZPEsmBXEbTaxBornDlhGwZ4yuBOPw82THY4ESMh2nKlQlGDYyhIK6 +kpjkfHkdynirANQ+NyvwF6A6OPPIjD/TLJilojTSSFdVqXAizMRJC8avSqVbcvN CHiINSX5udGfZRXzFvIuZk3TIvM5fLFISXeQltha9NpRSLEIBrWMf72S6OPn28HW JxzsmahE2mjhmmR7 =buTv -----END PGP SIGNATURE----- --=-=-=--