Hi, Thanks for the response! I thought that there was no hope... Arch krb5 is outdated https://archlinux.org/packages/core/x86_64/krb5/. I'll wait for 1.19 and post back with the result.
----- Pawel wt., 2 mar 2021 o 18:27 Sumit Bose <sb...@redhat.com> napisał(a): > On Wed, Feb 17, 2021 at 12:43:09PM +0100, Paweł Szafer wrote: > > Hi, > > I built and installed sssd from sources. > > I got more logs: > > > https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa#file-krb5_child-log-not-working-with-krb5-trace > > > > Is this important? -> "PKINIT client has no configured identity; giving > up" > > In Centos there are lines in krb5 conf, I think this is the reason above > is > > giving up. > > > > pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt > > spake_preauth_groups = edwards25519 > > > > Are those important? > > > > This function is never called in Arch (line is from centos): > > > > [krb5_child[50670]] [sss_krb5_expire_callback_func] (0x2000): exp_time: > > [375772] > > > > How to find why this function is never called? > > Hi, > > it looks like I'm getting old, I forgot about > https://krbdev.mit.edu/rt/Ticket/Display.html?id=8893 which is an issue > in MIT Kerberos which should be fixed in 1.19 but might not yet fixed in > Arch Linux. > > As a workaround you can try to use 'auth_provider = krb5' but please > note the different defaults for krb5_validate and > krb5_use_enterprise_principal as mentioned in man sssd-ad. > > With 'auth_provider = ad' some different MIT Kerberos APIs are used to > get more details from AD, unfortunately due to #8893 the expiration time > is lost in this case. > > HTH > > bye, > Sumit > > > > > ----- > > Pawel > > > > > > > > wt., 16 lut 2021 o 17:38 Paweł Szafer <psza...@gmail.com> napisał(a): > > > > > Thanks for the response! > > > > > > Commenting out "udp_preference_limit" doesn't change anything > > > unfortunately... > > > I will rebuild sssd from source, so I can get more meaningful logs. > > > > > > ----- > > > Pawel > > > > > > > > > > > > wt., 16 lut 2021 o 17:20 Sumit Bose <sb...@redhat.com> napisał(a): > > > > > >> On Tue, Feb 16, 2021 at 03:46:38PM +0100, Paweł Szafer wrote: > > >> > Hi again, > > >> > I installed Centos 8 to test if warning is working and on Centos it > is > > >> > working properly. > > >> > > > >> > In Arch I never get line with check "sss_krb5_expire_callback_func" > > >> > > > >> > Here are logs and config compared: > > >> > https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa > (can't > > >> > attach it to email, too big). > > >> > Maybe you can find out if it's something with config or maybe Arch > > >> > compilation of krb5 or sssd. > > >> > > >> Hi, > > >> > > >> this might be possible. If seen in > > >> > > >> > https://github.com/archlinux/svntogit-community/blob/packages/sssd/trunk/PKGBUILD > > >> the HAVE_KRB5_SET_TRACE_CALLBACK is removed from config.h which would > > >> explain the missing krb5 trace messages in the logs. > > >> > > >> The expiration callback is used conditionally, but the related call is > > >> available since MIT Kerberos version 1.9. Can you check the configure > > >> output > > >> > > >> ...... > > >> checking for krb5_get_error_message... yes > > >> checking for krb5_free_unparsed_name... yes > > >> checking for krb5_get_init_creds_opt_set_expire_callback... yes > > >> <<<---- > > >> checking for krb5_get_init_creds_opt_set_fast_ccache_name... yes > > >> checking for krb5_get_init_creds_opt_set_fast_flags... yes > > >> checking for krb5_get_init_creds_opt_set_canonicalize... yes > > >> ...... > > >> > > >> But even if krb5_get_init_creds_opt_set_expire_callback is not > available > > >> I would expect a message in the debug logs. > > >> > > >> > > >> In krb5.conf on Arch there is > > >> > > >> [libdefaults] > > >> udp_preference_limit = 0 > > >> > > >> which is not present on Centos. I wonder if you can comment out those > > >> two lines for testing. I would be surprised if this would change > > >> anything but it is the only difference which might be related. > > >> > > >> bye, > > >> Sumit > > >> > > >> > > > >> > ----- > > >> > Pawel > > >> > > > >> > > > >> > > > >> > pon., 15 lut 2021 o 11:13 Paweł Szafer <psza...@gmail.com> > napisał(a): > > >> > > > >> > > yes, typo, sorry. It's valid till 20.02.2021. > > >> > > Unfortunately I cannot find anything about password expiration in > the > > >> sssd > > >> > > logs. > > >> > > > > >> > > Pawel > > >> > > > > >> > > pon., 15 lut 2021, 11:08 użytkownik Tomas Halman < > thal...@redhat.com> > > >> > > napisał: > > >> > > > > >> > >> > > >> > >> > > >> > >> On Sat, Feb 13, 2021 at 6:22 PM Paweł Szafer <psza...@gmail.com> > > >> wrote: > > >> > >> > > >> > >>> > > >> > >>> > User has password valid till 20.02.2020 and yet I don't have > any > > >> > >>>> warning. > > >> > >>>> > > >> > >>> > > >> > >> Is that just a typo? 20.02.2020 is a year ago... > > >> > >> > > >> > >> Tomas > > >> > >> _______________________________________________ > > >> > >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > >> > >> To unsubscribe send an email to > > >> sssd-users-le...@lists.fedorahosted.org > > >> > >> Fedora Code of Conduct: > > >> > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > >> > >> List Guidelines: > > >> https://fedoraproject.org/wiki/Mailing_list_guidelines > > >> > >> List Archives: > > >> > >> > > >> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > >> > >> Do not reply to spam on the list, report it: > > >> > >> https://pagure.io/fedora-infrastructure > > >> > >> > > >> > > > > >> > > >> > _______________________________________________ > > >> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > >> > To unsubscribe send an email to > sssd-users-le...@lists.fedorahosted.org > > >> > Fedora Code of Conduct: > > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > >> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > >> > List Archives: > > >> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > >> > Do not reply to spam on the list, report it: > > >> https://pagure.io/fedora-infrastructure > > >> _______________________________________________ > > >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > >> To unsubscribe send an email to > sssd-users-le...@lists.fedorahosted.org > > >> Fedora Code of Conduct: > > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > >> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > >> List Archives: > > >> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > >> Do not reply to spam on the list, report it: > > >> https://pagure.io/fedora-infrastructure > > >> > > > > > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure