On Wed, Jul 24, 2024 at 5:20 PM Spike White <spikewhit...@gmail.com> wrote:
> Alexey, > > Thank you for responding. > > This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version > 1.16.5-xxxx.el7_9.xxx.x86_64 > > RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and > 2.9.4-xxx.el9_4.x86_64.. > > On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't > appear to be an option on version 1.16.5). But RHEL7 is ok. > > On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] > and [sssd] sections. Yet we see this backtrace in > /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in > which we should be setting this? > ldap_/krb5_child "inherit" debug settings from [domain/...] section. > Spike > > On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov <atikh...@redhat.com> > wrote: > >> Hi, >> >> what SSSD version is this? >> >> I think it should be fixed by >> https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus >> in SSSD 2.9.5+ >> On an older version you can consider setting 'debug_backtrace_enabled = >> false' >> >> >> On Tue, Jul 23, 2024 at 9:37 PM Spike White <spikewhit...@gmail.com> >> wrote: >> >>> All, >>> >>> This is not a problem. But it is annoying; how do I make it go away? >>> >>> >>> Every time any user logs into any of our Linux servers, we get these >>> messages in the /var/log/sssd/krb5_child.log file: >>> >>> >>> >>> (2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): >>> [RID#26239] PAC check is requested but krb5_validate is set to false. PAC >>> checks will be skipped. >>> >>> (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): >>> [RID#27336] PAC check is requested but krb5_validate is set to false. PAC >>> checks will be skipped. >>> >>> (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >>> [-1765328174][Pre-authentication failed: Cannot read password] >>> >>> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING >>> BACKTRACE: >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >>> [RID#27336] krb5_child started. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>> (0x1000): [RID#27336] total buffer size: [92] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>> (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] >>> validate [false] enterprise principal [true] offline [false] UPN [ >>> admspike_wh...@amer.company.com] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>> (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] >>> (0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for >>> default one >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] >>> (0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] >>> (0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] >>> (0x0100): [RID#27336] Not using FAST. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] >>> (0x0200): [RID#27336] Trying to become user [2025431][2025431]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): >>> [RID#27336] Running as [2025431][2025431]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] >>> (0x0100): [RID#27336] No specific renewable lifetime requested. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] >>> (0x0100): [RID#27336] No specific lifetime requested. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to >>> [true] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >>> [RID#27336] Will perform pre-auth >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] >>> (0x1000): [RID#27336] Attempting to get a TGT >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt] >>> (0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder] >>> (0x4000): [RID#27336] Got question [password]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] >>> (0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] >>> num_prompts [1] EINVAL. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] >>> (0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White\@ >>> amer.company....@amer.company.com]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] >>> (0x0200): [RID#27336] Prompter interface isn't used for password prompts by >>> SSSD. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >>> [-1765328174][Pre-authentication failed: Cannot read password] >>> >>> ********************** BACKTRACE DUMP ENDS HERE >>> ********************************* >>> >>> >>> >>> (2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): >>> [RID#27337] PAC check is requested but krb5_validate is set to false. PAC >>> checks will be skipped. >>> >>> >>> >>> We’re ok with the krb5_validate message. We set: >>> >>> >>> krb5_validate = False >>> >>> >>> in /etc/sssd/sssd.conf file because KVNO of host principal gets out of >>> sync between AD and /etc/krb5.keytab file frequently. >>> >>> >>> So we’re comfortable with that one line of logging. It’s all the rest >>> of the logging that we’d prefer not to see. >>> >>> >>> How do we suppress them or eradicate the underlying condition that leads >>> to them appearing? >>> >>> >>> Here is our sssd.conf file. >>> >>> >>> [nss] >>> >>> debug_backtrace_enabled = false >>> >>> #debug_level = 9 >>> >>> filter_groups = root mfe bladelogic_linux_us...@amer.company.com >>> bladelogic_linux_us...@emea.company.com >>> bladelogic_linux_us...@apac.company.com >>> bladelogic_linux_us...@japn.company.com >>> bladelogic_linux_us...@company.com oracle >>> >>> filter_users = root mfe oracle >>> >>> >>> >>> [sssd] >>> >>> debug_backtrace_enabled = false >>> >>> #debug_level = 9 >>> >>> domains = amer.company.com >>> >>> domain_resolution_order = amer.company.com, emea.company.com, >>> apac.company.com, japn.company.com, company.com >>> >>> config_file_version = 2 >>> >>> services = nss,pam,ifp >>> >>> reconnection_retries = 3 >>> >>> full_name_format = %1$s >>> >>> >>> >>> [pam] >>> >>> pam_verbosity = 3 >>> >>> #debug_level = 9 >>> >>> offline_credentials_expiration = 3 >>> >>> >>> >>> [ifp] >>> >>> #debug_level = 9 >>> >>> >>> >>> [domain/amer.company.com] >>> >>> filter_groups = root mfe bladelogic_linux_users oracle >>> >>> sudo_provider = none >>> >>> debug_backtrace_enabled = false >>> >>> #debug_level = 9 >>> >>> ad_enabled_domains = company.com, amer.company.com, apac.company.com, >>> emea.company.com, japn.company.com >>> >>> ad_enabled_domains = amer.company.com, apac.company.com, >>> emea.company.com, japn.company.com, company.com >>> >>> # If you enable ignore_group_members, it gives a small perf win, but then >>> >>> # "getent group XXX" shows no members. Perf win not worth the lack of >>> >>> # diagnostics. >>> >>> #ignore_group_members = true >>> >>> id_provider = ad >>> >>> access_provider = simple >>> >>> auth_provider = ad >>> >>> default_shell = /bin/bash >>> >>> ldap_id_mapping = False >>> >>> auto_private_groups = True >>> >>> realmd_tags = joined-with-adcli >>> >>> cache_credentials = True >>> >>> >>> >>> # Not set to true; Passwords stored in this way are kept in plaintext in >>> the kernel keyring and are potentially accessible by the root user (with >>> difficulty). >>> >>> #krb5_store_password_if_offline = True >>> >>> fallback_homedir = /home/%u >>> >>> ldap_sasl_authid = host/austgcore17.us.company....@amer.company.com >>> >>> dyndns_update = False >>> >>> # Using tokengroups is usually a speed optimization >>> >>> #ldap_use_tokengroups = False >>> >>> ldap_search_base = dc=AMER,dc=COMPANY,dc=COM >>> >>> ldap_force_upper_case_realm = True >>> >>> # Set to False, because KVNO of host principal gets out of sync between >>> >>> # AD and /etc/krb5.keytab file frequently. >>> >>> krb5_validate = False >>> >>> simple_allow_groups = amerlinux...@amer.company.com, >>> amerlinux...@amer.company.com, emealinux...@emea.company.com, >>> emealinux...@emea.company.com, apaclinux...@apac.company.com, >>> apaclinux...@apac.company.com, gbllinuxsu...@amer.company.com, >>> bladelogic_linux_us...@amer.company.com, >>> prd-1004873-amer-dbspotu...@amer.company.com, >>> pptsupport...@amer.company.com, unv_legato_adm...@amer.company.com, >>> scheduling_glo...@amer.company.com, engit-e...@amer.company.com, >>> amerlinuxengtfss...@amer.company.com, >>> amerlnxsvcdelaut...@apac.company.com, iasnp...@amer.company.com, >>> fnms_...@amer.company.com, zabbix-supp...@amer.company.com, >>> globalinfosecops...@amer.company.com, >>> prd-amer-fnmsops...@amer.company.com, amerlinuxeng >>> >>> simple_allow_users = processehcprofi...@amer.company.com, >>> svc_prdaut...@amer.company.com, processfogli...@amer.company.com, >>> svc_prdprofogligh...@amer.company.com, >>> service_ome_li...@amer.company.com, >>> svc_prdesquadscou...@apac.company.com, >>> serviceunixinst...@amer.company.com, admspike_white, oracle >>> >>> >>> >>> # look at >>> https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html >>> >>> [domain/amer.company.com/company.com] >>> >>> ldap_search_base = dc=COMPANY,dc=COM >>> >>> >>> >>> [domain/amer.company.com/apac.company.com] >>> >>> ldap_search_base = dc=APAC,dc=COMPANY,dc=COM >>> >>> >>> >>> [domain/amer.company.com/emea.company.com] >>> >>> ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM >>> >>> >>> >>> [domain/amer.company.com/japn.company.com] >>> >>> ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM >>> -- >>> _______________________________________________ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> -- >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue