SYSTEMD: Add environment file to responder service files Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SYSTEMD: Replace parameter --debug-to-files with ${DEBUG_LOGGER} Users can set variable DEBUG_LOGGER in environment files (/etc/sysconfig/sssd or /etc/default/sssd; depending on the distribution) to override default logging to files. e.g. DEBUG_LOGGER=--logger=stderr DEBUG_LOGGER=--logger=journald Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

NSS: Don't call chown on NSS service's ExecStartPre The sssd-nss.service attempts to chown its log file to ensure it has the correct owner. Unfortunately, when this happens, it enters in a loop trying to call into the name-service switch and hangs forever. For now the approach taken is to just remove the ExecStartPre from the NSS service. Resolves: https://pagure.io/SSSD/sssd/issue/3322 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSTEMD: Force responders to refuse manual start As the responders will either be explicitly started by the monitor or {dbus,socket}-activated, let's force them to refuse manual start, being a little bit restricter on our side. Resolves: https://pagure.io/SSSD/sssd/issue/3300 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: Make NSS responder socket-activatable As part of the effort of making all responders socket-activatable, let's make the NSS responder ready for this by providing its systemd's units. In case the administrators want to use NSS responder taking advantage of socket-activation they will need to enable sssd-nss.socket and after a restart of the sssd service, the NSS socket will be ready waiting for any activity in order to start the NSS responder. Also, the NSS responder must be removed from the services line on sssd.conf. The NSS responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Is quite important to mention that NSS responder will always run as root. The reason behind this is that systemd calls getpwnam() and getgprnam() when "User="/"Group=" is set to something different than "root". As it's done _before_ starting NSS responder, the clients would end up hanging for a few minutes (due to "default_client_timeout"), which is something that we really want to avoid. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>