On Wed, Jul 24, 2024 at 11:44 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
I have submitted Redhat case 03886211 https://access.redhat.com/support/cases/#/case/03886211 on this.
Thank you.
Just to clarify - there are 2 different issues:
(1) wrong log level used / excessive logging: I believe it's fixed in sssd-2.9.5. It would be great if you could test it using C9S package: https://composes.stream.centos.org/development/latest-CentOS-Stream/compose/...
(2) there is no way to configure 'debug_backtrace_enabled' for child processes: I opened https://github.com/SSSD/sssd/issues/7510 for this issue
Meanwhile, if those backtraces are too irritating, you can consider setting `debug_level = 0` in the domain section (but, of course, this will suppress almost all debugging).
Thank you, Spike
On Wed, Jul 24, 2024 at 1:04 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 6:29 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
No, you've found a bug - there is no way to configure 'debug_backtrace_enabled' for child processes (may be with the exception of proxy_child, not sure). I think the fix should be to inherit from the domain section (as it happens with debug_level), Please, open a ticket upstream.
Spike
On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Thank you for responding.
This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64
RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..
On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok.
On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections. Yet we see this backtrace in /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in which we should be setting this?
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
Spike
On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com wrote:
Hi,
what SSSD version is this?
I think it should be fixed by https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus in SSSD 2.9.5+ On an older version you can consider setting 'debug_backtrace_enabled = false'
On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com wrote:
> All, > > This is not a problem. But it is annoying; how do I make it go > away? > > > Every time any user logs into any of our Linux servers, we get these > messages in the /var/log/sssd/krb5_child.log file: > > > > (2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): > [RID#26239] PAC check is requested but krb5_validate is set to false. PAC > checks will be skipped. > > (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): > [RID#27336] PAC check is requested but krb5_validate is set to false. PAC > checks will be skipped. > > (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: > [-1765328174][Pre-authentication failed: Cannot read password] > > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE > FOLLOWING BACKTRACE: > > * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): > [RID#27336] krb5_child started. > > * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] > (0x1000): [RID#27336] total buffer size: [92] > > * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] > (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] > validate [false] enterprise principal [true] offline [false] UPN [ > AdmSpike_White@AMER.COMPANY.COM] > > * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] > (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set] > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for > domain, looking for default one > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: > FILE:/etc/krb5.keytab > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: > /etc/krb5.keytab > > * (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] > (0x0100): [RID#27336] Not using FAST. > > * (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] > (0x0200): [RID#27336] Trying to become user [2025431][2025431]. > > * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): > [RID#27336] Running as [2025431][2025431]. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime > requested. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to > [true] > > * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): > [RID#27336] Will perform pre-auth > > * (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] > (0x1000): [RID#27336] Attempting to get a TGT > > * (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt] > (0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM] > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_responder] (0x4000): [RID#27336] Got question [password]. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] > banner [(null)] num_prompts [1] EINVAL. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for > AdmSpike_White@AMER.COMPANY.COM@AMER.COMPANY.COM]. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for > password prompts by SSSD. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: > [-1765328174][Pre-authentication failed: Cannot read password] > > ********************** BACKTRACE DUMP ENDS HERE > ********************************* > > > > (2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): > [RID#27337] PAC check is requested but krb5_validate is set to false. PAC > checks will be skipped. > > > > We’re ok with the krb5_validate message. We set: > > > krb5_validate = False > > > in /etc/sssd/sssd.conf file because KVNO of host principal gets out > of sync between AD and /etc/krb5.keytab file frequently. > > > So we’re comfortable with that one line of logging. It’s all the > rest of the logging that we’d prefer not to see. > > > How do we suppress them or eradicate the underlying condition that > leads to them appearing? > > > Here is our sssd.conf file. > > > [nss] > > debug_backtrace_enabled = false > > #debug_level = 9 > > filter_groups = root mfe bladelogic_linux_users@amer.company.com > bladelogic_linux_users@emea.company.com > bladelogic_linux_users@apac.company.com > bladelogic_linux_users@japn.company.com > bladelogic_linux_users@company.com oracle > > filter_users = root mfe oracle > > > > [sssd] > > debug_backtrace_enabled = false > > #debug_level = 9 > > domains = amer.company.com > > domain_resolution_order = amer.company.com, emea.company.com, > apac.company.com, japn.company.com, company.com > > config_file_version = 2 > > services = nss,pam,ifp > > reconnection_retries = 3 > > full_name_format = %1$s > > > > [pam] > > pam_verbosity = 3 > > #debug_level = 9 > > offline_credentials_expiration = 3 > > > > [ifp] > > #debug_level = 9 > > > > [domain/amer.company.com] > > filter_groups = root mfe bladelogic_linux_users oracle > > sudo_provider = none > > debug_backtrace_enabled = false > > #debug_level = 9 > > ad_enabled_domains = company.com, amer.company.com, apac.company.com, > emea.company.com, japn.company.com > > ad_enabled_domains = amer.company.com, apac.company.com, > emea.company.com, japn.company.com, company.com > > # If you enable ignore_group_members, it gives a small perf win, but > then > > # "getent group XXX" shows no members. Perf win not worth the lack > of > > # diagnostics. > > #ignore_group_members = true > > id_provider = ad > > access_provider = simple > > auth_provider = ad > > default_shell = /bin/bash > > ldap_id_mapping = False > > auto_private_groups = True > > realmd_tags = joined-with-adcli > > cache_credentials = True > > > > # Not set to true; Passwords stored in this way are kept in > plaintext in the kernel keyring and are potentially accessible by the root > user (with difficulty). > > #krb5_store_password_if_offline = True > > fallback_homedir = /home/%u > > ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM > > dyndns_update = False > > # Using tokengroups is usually a speed optimization > > #ldap_use_tokengroups = False > > ldap_search_base = dc=AMER,dc=COMPANY,dc=COM > > ldap_force_upper_case_realm = True > > # Set to False, because KVNO of host principal gets out of sync > between > > # AD and /etc/krb5.keytab file frequently. > > krb5_validate = False > > simple_allow_groups = amerlinuxsup@amer.company.com, > amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, > emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, > apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, > bladelogic_linux_users@amer.company.com, > PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, > pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, > scheduling_global@amer.company.com, engit-ebpa@amer.company.com, > amerlinuxengtfssupt@amer.company.com, > amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, > fnms_ops@amer.company.com, zabbix-support@amer.company.com, > globalinfosecopsadm@amer.company.com, > prd-amer-fnmsopspac@amer.company.com, amerlinuxeng > > simple_allow_users = processehcprofiler@amer.company.com, > svc_prdautovm@amer.company.com, processfoglight@amer.company.com, > svc_prdprofoglight01@amer.company.com, > service_ome_linux@amer.company.com, > svc_prdesquadscounix@apac.company.com, > serviceunixinstall@amer.company.com, admspike_white, oracle > > > > # look at > https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html > > [domain/amer.company.com/company.com] > > ldap_search_base = dc=COMPANY,dc=COM > > > > [domain/amer.company.com/apac.company.com] > > ldap_search_base = dc=APAC,dc=COMPANY,dc=COM > > > > [domain/amer.company.com/emea.company.com] > > ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM > > > > [domain/amer.company.com/japn.company.com] > > ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to > sssd-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
>
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue