Alexey,
It took a while, but I have sssd-*-2.9.4.el9.x86_64 installed on a test RHEL9 server. Now when a user logs in, I get just this in /var/log/sssd/krb5_child.log:
(2024-07-25 12:11:46): [krb5_child[89771]] [main] (0x3f7c0): [RID#6] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped. (2024-07-25 12:11:46): [krb5_child[89772]] [main] (0x3f7c0): [RID#7] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
Which is normal. So -- sssd version 2.9.5 fixes this.
BTW on this RHEL9 test server -- debug_backtrace_enabled is not set in this /etc/sssd/sssd.conf file (so it takes default of 'true').
As far as standard RHEL8 & 9 sssd version 2.9.4-xxx, I'd rather not set debug_level = 0. I'd rather just wait for this bug fix.
Spike
On Thu, Jul 25, 2024 at 5:37 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 11:44 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
I have submitted Redhat case 03886211 https://access.redhat.com/support/cases/#/case/03886211 on this.
Thank you.
Just to clarify - there are 2 different issues:
(1) wrong log level used / excessive logging: I believe it's fixed in sssd-2.9.5. It would be great if you could test it using C9S package: https://composes.stream.centos.org/development/latest-CentOS-Stream/compose/...
(2) there is no way to configure 'debug_backtrace_enabled' for child processes: I opened https://github.com/SSSD/sssd/issues/7510 for this issue
Meanwhile, if those backtraces are too irritating, you can consider setting `debug_level = 0` in the domain section (but, of course, this will suppress almost all debugging).
Thank you, Spike
On Wed, Jul 24, 2024 at 1:04 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 6:29 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
No, you've found a bug - there is no way to configure 'debug_backtrace_enabled' for child processes (may be with the exception of proxy_child, not sure). I think the fix should be to inherit from the domain section (as it happens with debug_level), Please, open a ticket upstream.
Spike
On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Thank you for responding.
This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64
RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..
On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok.
On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections. Yet we see this backtrace in /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in which we should be setting this?
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
Spike
On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com wrote:
> Hi, > > what SSSD version is this? > > I think it should be fixed by > https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and > thus in SSSD 2.9.5+ > On an older version you can consider setting > 'debug_backtrace_enabled = false' > > > On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com > wrote: > >> All, >> >> This is not a problem. But it is annoying; how do I make it go >> away? >> >> >> Every time any user logs into any of our Linux servers, we get >> these messages in the /var/log/sssd/krb5_child.log file: >> >> >> >> (2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): >> [RID#26239] PAC check is requested but krb5_validate is set to false. PAC >> checks will be skipped. >> >> (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): >> [RID#27336] PAC check is requested but krb5_validate is set to false. PAC >> checks will be skipped. >> >> (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >> [-1765328174][Pre-authentication failed: Cannot read password] >> >> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE >> FOLLOWING BACKTRACE: >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >> [RID#27336] krb5_child started. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >> (0x1000): [RID#27336] total buffer size: [92] >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >> (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] >> validate [false] enterprise principal [true] offline [false] UPN [ >> AdmSpike_White@AMER.COMPANY.COM] >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >> (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set] >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for >> domain, looking for default one >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: >> FILE:/etc/krb5.keytab >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: >> /etc/krb5.keytab >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] >> (0x0100): [RID#27336] Not using FAST. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] >> (0x0200): [RID#27336] Trying to become user [2025431][2025431]. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): >> [RID#27336] Running as [2025431][2025431]. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime >> requested. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to >> [true] >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >> [RID#27336] Will perform pre-auth >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] >> (0x1000): [RID#27336] Attempting to get a TGT >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [get_and_save_tgt] (0x0400): [RID#27336] Attempting kinit for realm [ >> AMER.COMPANY.COM] >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_responder] (0x4000): [RID#27336] Got question [password]. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] >> banner [(null)] num_prompts [1] EINVAL. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for >> AdmSpike_White@AMER.COMPANY.COM@AMER.COMPANY.COM]. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for >> password prompts by SSSD. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >> [-1765328174][Pre-authentication failed: Cannot read password] >> >> ********************** BACKTRACE DUMP ENDS HERE >> ********************************* >> >> >> >> (2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): >> [RID#27337] PAC check is requested but krb5_validate is set to false. PAC >> checks will be skipped. >> >> >> >> We’re ok with the krb5_validate message. We set: >> >> >> krb5_validate = False >> >> >> in /etc/sssd/sssd.conf file because KVNO of host principal gets out >> of sync between AD and /etc/krb5.keytab file frequently. >> >> >> So we’re comfortable with that one line of logging. It’s all the >> rest of the logging that we’d prefer not to see. >> >> >> How do we suppress them or eradicate the underlying condition that >> leads to them appearing? >> >> >> Here is our sssd.conf file. >> >> >> [nss] >> >> debug_backtrace_enabled = false >> >> #debug_level = 9 >> >> filter_groups = root mfe bladelogic_linux_users@amer.company.com >> bladelogic_linux_users@emea.company.com >> bladelogic_linux_users@apac.company.com >> bladelogic_linux_users@japn.company.com >> bladelogic_linux_users@company.com oracle >> >> filter_users = root mfe oracle >> >> >> >> [sssd] >> >> debug_backtrace_enabled = false >> >> #debug_level = 9 >> >> domains = amer.company.com >> >> domain_resolution_order = amer.company.com, emea.company.com, >> apac.company.com, japn.company.com, company.com >> >> config_file_version = 2 >> >> services = nss,pam,ifp >> >> reconnection_retries = 3 >> >> full_name_format = %1$s >> >> >> >> [pam] >> >> pam_verbosity = 3 >> >> #debug_level = 9 >> >> offline_credentials_expiration = 3 >> >> >> >> [ifp] >> >> #debug_level = 9 >> >> >> >> [domain/amer.company.com] >> >> filter_groups = root mfe bladelogic_linux_users oracle >> >> sudo_provider = none >> >> debug_backtrace_enabled = false >> >> #debug_level = 9 >> >> ad_enabled_domains = company.com, amer.company.com, >> apac.company.com, emea.company.com, japn.company.com >> >> ad_enabled_domains = amer.company.com, apac.company.com, >> emea.company.com, japn.company.com, company.com >> >> # If you enable ignore_group_members, it gives a small perf win, >> but then >> >> # "getent group XXX" shows no members. Perf win not worth the lack >> of >> >> # diagnostics. >> >> #ignore_group_members = true >> >> id_provider = ad >> >> access_provider = simple >> >> auth_provider = ad >> >> default_shell = /bin/bash >> >> ldap_id_mapping = False >> >> auto_private_groups = True >> >> realmd_tags = joined-with-adcli >> >> cache_credentials = True >> >> >> >> # Not set to true; Passwords stored in this way are kept in >> plaintext in the kernel keyring and are potentially accessible by the root >> user (with difficulty). >> >> #krb5_store_password_if_offline = True >> >> fallback_homedir = /home/%u >> >> ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM >> >> dyndns_update = False >> >> # Using tokengroups is usually a speed optimization >> >> #ldap_use_tokengroups = False >> >> ldap_search_base = dc=AMER,dc=COMPANY,dc=COM >> >> ldap_force_upper_case_realm = True >> >> # Set to False, because KVNO of host principal gets out of sync >> between >> >> # AD and /etc/krb5.keytab file frequently. >> >> krb5_validate = False >> >> simple_allow_groups = amerlinuxsup@amer.company.com, >> amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, >> emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, >> apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, >> bladelogic_linux_users@amer.company.com, >> PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, >> pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, >> scheduling_global@amer.company.com, engit-ebpa@amer.company.com, >> amerlinuxengtfssupt@amer.company.com, >> amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, >> fnms_ops@amer.company.com, zabbix-support@amer.company.com, >> globalinfosecopsadm@amer.company.com, >> prd-amer-fnmsopspac@amer.company.com, amerlinuxeng >> >> simple_allow_users = processehcprofiler@amer.company.com, >> svc_prdautovm@amer.company.com, processfoglight@amer.company.com, >> svc_prdprofoglight01@amer.company.com, >> service_ome_linux@amer.company.com, >> svc_prdesquadscounix@apac.company.com, >> serviceunixinstall@amer.company.com, admspike_white, oracle >> >> >> >> # look at >> https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html >> >> [domain/amer.company.com/company.com] >> >> ldap_search_base = dc=COMPANY,dc=COM >> >> >> >> [domain/amer.company.com/apac.company.com] >> >> ldap_search_base = dc=APAC,dc=COMPANY,dc=COM >> >> >> >> [domain/amer.company.com/emea.company.com] >> >> ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM >> >> >> >> [domain/amer.company.com/japn.company.com] >> >> ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM >> -- >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to >> sssd-users-leave@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to > sssd-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
>
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue