On Tue, Mar 17, 2020 at 11:17:34AM -0000, Hristina Marosevic wrote:
> > On Tue, Mar 17, 2020 at 09:41:16AM -0000, Hristina Marosevic wrote:
> > ....
> >
> > Hi,
> >
> > so p11_child is really called but as you said earlier there are no logs.
> >
> > This might e.g. be a permission issue, please check the permissions on
> > /var/log/sssd if you see anything odd. For me it looks like:
> >
> > drwxr-x---. 2 root root system_u:object_r:sssd_var_log_t:s0 4096
> > Mar 17 09:09 .
> > drwxr-xr-x. 12 root root system_u:object_r:var_log_t:s0 4096
> > Mar 15 03:27 ..
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 221452
> > Mar 17 09:19
> > krb5_child.log
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 1069023
> > Mar 17 11:16
> > ldap_child.log
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0
> > Mar 16 10:31
> > p11_child.log
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 14816
> > Mar 17 09:19
> > selinux_child.log
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 623
> > Mar 16 10:31
> > sssd.log
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0
> > Mar 16 10:31
> > sssd_nss.log
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0
> > Mar 16 10:31
> > sssd_pac.log
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 490679
> > Mar 17 11:18
> > sssd_pam.log
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 6723166
> > Mar 17 11:18
> > sssd_ipa.devel.log
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0
> > Mar 16 10:31
> > sssd_ssh.log
> > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0
> > Mar 16 10:31
> > sssd_sudo.log
> >
> >
> > The next step would be to check what failed with strace. For this call
> >
> > mkdir /tmp/strace_data
> > strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof
> > /usr/libexec/sssd/sssd_ssh)
> >
> > in one terminal can call 'sss_ssh_authorizedkeys IIN32000000001' in a
> > different
> > terminal. After calling sss_ssh_authorizedkeys you can stop the strace
> > command
> > with CTRL-C. In /tmp/strace_data there should be at least 2 files, one of
> > the
> > main sssd_ssh process and the other for p11_child, please send both (if
> > there
> > are more than 2 please send all).
> >
> > bye,
> > Sumit
>
>
> There are two files:
>
> after executing strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof
> /usr/libexec/sssd/sssd_ssh) strace_.24180 was generated.
....
> write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]]
> [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling
> OCSP.\n", 128) = 128
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]]
> [parse_cert_verify_opts] (0x0020): Found 'no_verification' option, disabling
> verification completely. This should not be used in production.\n", 194) = 194
> write(2, "Cannot run verification with option 'no_verification'.\n", 55) = 55
Hi,
I'm sorry, I haven't read one of your earlier emails carefully enough,
please do not use "certificate_verification = no_ocsp, no_verification"
but only
certificate_verification = no_verification
'no_ocsp' implies verification but without OCSP so using both options is
an inconsistency.
bye,
Sumit
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]] [main]
> (0x0020): p11_child failed!\n", 88) = 88
> close(1) = 0
> exit_group(1) = ?
> +++ exited with 1 +++
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
