On Tue, Mar 17, 2020 at 11:17:34AM -0000, Hristina Marosevic wrote: > > On Tue, Mar 17, 2020 at 09:41:16AM -0000, Hristina Marosevic wrote: > > .... > > > > Hi, > > > > so p11_child is really called but as you said earlier there are no logs. > > > > This might e.g. be a permission issue, please check the permissions on > > /var/log/sssd if you see anything odd. For me it looks like: > > > > drwxr-x---. 2 root root system_u:object_r:sssd_var_log_t:s0 4096 > > Mar 17 09:09 . > > drwxr-xr-x. 12 root root system_u:object_r:var_log_t:s0 4096 > > Mar 15 03:27 .. > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 221452 > > Mar 17 09:19 > > krb5_child.log > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 1069023 > > Mar 17 11:16 > > ldap_child.log > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 > > Mar 16 10:31 > > p11_child.log > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 14816 > > Mar 17 09:19 > > selinux_child.log > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 623 > > Mar 16 10:31 > > sssd.log > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 > > Mar 16 10:31 > > sssd_nss.log > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 > > Mar 16 10:31 > > sssd_pac.log > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 490679 > > Mar 17 11:18 > > sssd_pam.log > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 6723166 > > Mar 17 11:18 > > sssd_ipa.devel.log > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 > > Mar 16 10:31 > > sssd_ssh.log > > -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 > > Mar 16 10:31 > > sssd_sudo.log > > > > > > The next step would be to check what failed with strace. For this call > > > > mkdir /tmp/strace_data > > strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof > > /usr/libexec/sssd/sssd_ssh) > > > > in one terminal can call 'sss_ssh_authorizedkeys IIN32000000001' in a > > different > > terminal. After calling sss_ssh_authorizedkeys you can stop the strace > > command > > with CTRL-C. In /tmp/strace_data there should be at least 2 files, one of > > the > > main sssd_ssh process and the other for p11_child, please send both (if > > there > > are more than 2 please send all). > > > > bye, > > Sumit > > > There are two files: > > after executing strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof > /usr/libexec/sssd/sssd_ssh) strace_.24180 was generated. .... > write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]] > [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling > OCSP.\n", 128) = 128 > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 > write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]] > [parse_cert_verify_opts] (0x0020): Found 'no_verification' option, disabling > verification completely. This should not be used in production.\n", 194) = 194 > write(2, "Cannot run verification with option 'no_verification'.\n", 55) = 55
Hi, I'm sorry, I haven't read one of your earlier emails carefully enough, please do not use "certificate_verification = no_ocsp, no_verification" but only certificate_verification = no_verification 'no_ocsp' implies verification but without OCSP so using both options is an inconsistency. bye, Sumit > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 > write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]] [main] > (0x0020): p11_child failed!\n", 88) = 88 > close(1) = 0 > exit_group(1) = ? > +++ exited with 1 +++ > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org