From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id qJGcOCTjFWIrtAAAgWs5BA (envelope-from ) for ; Wed, 23 Feb 2022 08:32:52 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id YItMMSTjFWKXBgEAG6o9tA (envelope-from ) for ; Wed, 23 Feb 2022 08:32:52 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 26DC642738 for ; Wed, 23 Feb 2022 08:32:50 +0100 (CET) Received: from localhost ([::1]:36828 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nMm8n-0006yO-A4 for larch@yhetil.org; Wed, 23 Feb 2022 02:32:49 -0500 Received: from eggs.gnu.org ([209.51.188.92]:56708) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nMm8R-0006yE-HX for guix-devel@gnu.org; Wed, 23 Feb 2022 02:32:27 -0500 Received: from [2001:67c:2050::465:102] (port=35086 helo=mout-p-102.mailbox.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1nMm8O-0003rj-ME for guix-devel@gnu.org; Wed, 23 Feb 2022 02:32:26 -0500 Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4K3SRN5602z9sR9; Wed, 23 Feb 2022 08:32:16 +0100 (CET) Date: Wed, 23 Feb 2022 08:32:11 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6xq.net; s=MBO0001; t=1645601534; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sp9udT5k+/h/t98/Odyba5koLETJH7Uq4jZzgR6C9KI=; b=m06KEamGeU2fPvivFy7TvduoYnK2eOSMKa2Sojl03LF1kRgXqHGrgDTFuG+IMRvcQdIkQ6 2bPCnZZn0RaxUrUA7wpqRQYokyBYTHTKzK5Oq3o0uuQLzpQaxJZhC4Ez5wva+6b5DYtYFf X4403F80USg441CvqreE9nHjZB8GSOvW3bAhOi1zhZA5XK+aYzLcFmXFWATHN2dtSDSD2w YRhmMbp6GVqI1VAWKZnEUgOy+9Wh/b/VZrMjkr+x6fX2NQZlFd7qXctPuvRGEdQbVRDvmD CltLhjfoc5zEC8BJqLyfiwprgSIfg0Ez7Hb2ozStKgtx+cLtCr3QQS+2R2CQig== From: Lars-Dominik Braun To: Chris Marusich Subject: Re: How to use Guix with sssd, not nscd, on a foreign distro? Message-ID: References: <87y222usfr.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87y222usfr.fsf@gmail.com> X-Host-Lookup-Failed: Reverse DNS lookup failed for 2001:67c:2050::465:102 (failed) Received-SPF: pass client-ip=2001:67c:2050::465:102; envelope-from=lars@6xq.net; helo=mout-p-102.mailbox.org X-Spam_score_int: -19 X-Spam_score: -2.0 X-Spam_bar: -- X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1645601570; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=sp9udT5k+/h/t98/Odyba5koLETJH7Uq4jZzgR6C9KI=; b=p7WAKror54ls6RTrFjy1SqBnlo1Dzjyy8CnlX6q5npo01tlMteMyPKIcob9oYro9qBJaml pEBy1auy1vIBC6fdb3EtQyb8Z3hfP9o3ITTC/G4jnfPfRfd3s+XpTJZIf2yI2ZNHbbgS+s kABAL2xcWKlyOwX+90Xuuib/+UgDQ+ikQ1M/H1KV2zGJdrww57C3bQWhcBii0Ta/rGttsd eUCFMMVIGSKkhWjgsR29Q4ahdBzc8quUJhzKMjn7wVeDXezkBSFSRAemtWT9vtIZF2IWo8 zrbaL1E9F1D9C6aSIgiJg+VqVwSZa+ap+pD8vJ47pBCZ+e+TBfwm19p4kqngMg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1645601570; a=rsa-sha256; cv=none; b=lI8dO1B/yS+N3JI4MabgrhYGlWdMuIvwhNL0e6BwLysmZOwesguoU+bWkQyHHXosUT/uet MQXiMPEFpM8Yk1f1iFuX8cfqdRYlOqSby9d5declagKcqrj+6+Oi6VAhlmjDdeOOkMXI7l T5LxG2tYzS38Lld6shFfHpaSrkBp8OBMZ2bqXtIdUfmlWPRJFL0hgiZUvJtho0C+qT4Kzt qcQoYg0E5pUJTbpMsOcfik7HO4Guvt7vJje/7QCFbDn1hdl48iWlSZ3dzwjMVzbMkWQOMP YqjC9w66Qe+kG/9qUHtWOMYi43HVs/HTVo3bQHpndb7HCdPu+R490yOrpHqYlA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=6xq.net header.s=MBO0001 header.b=m06KEamG; dmarc=pass (policy=none) header.from=6xq.net; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -8.33 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=6xq.net header.s=MBO0001 header.b=m06KEamG; dmarc=pass (policy=none) header.from=6xq.net; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 26DC642738 X-Spam-Score: -8.33 X-Migadu-Scanner: scn0.migadu.com X-TUID: YtnJblv9yond Hi Chris, > The Fedora document explains that at least the hosts cache will be > handled by systemd-resolved. Can I expect Guix-built programs to "try > to use systemd" when resolving host names, or is additional > configuration likely to be required? as far as I know systemd also plugs into the nss mechanism, i.e. it’s a shared library libnss_systemd.so from the host system, which would be dlopen’ed. > Regarding sssd specifically, how can I arrange for a Guix-built program > to "try to use sssd" first? I believe nscd is a glibc internal mechanism, which – if enabled – will be queried before using the nsswitch mechanism. Thus it works to circumvent the shared library dilemma on foreign systems. Programs do not use sssd directly (that’s the whole point of nss/sssd). It plugs into nsswitch just like systemd and therefore does nothing for our use case. nixOS seems to have the same problem, with suggestions for solutions like [1]. So in conclusion I don’t think sssd is an appropriate replacement for our use-case. Cheers, Lars [1] https://github.com/NixOS/nixpkgs/pull/155655