Alexey,

I have submitted Redhat case  03886211 on this.

Thank you,

Spike

On Wed, Jul 24, 2024 at 1:04 PM Alexey Tikhonov <atikhono@redhat.com> wrote:

On Wed, Jul 24, 2024 at 6:29 PM Spike White <spikewhitetx@gmail.com> wrote:

Alexey,

Again, thanks for replying.

I put 

debug_backtrace_enabled = false

in section

[domain/amer.company.com]

and restarted sssd.  Still the backtrace shows up in /var/log/sssd/krb5_child.log.  In both RHEL8 and RHEL9.

Is it possible that krb5_child  (n version 2.9.4-x) is inheriting from another sssd.conf file section?

No, you've found a bug - there is no way to configure 'debug_backtrace_enabled' for child processes (may be with the exception of proxy_child, not sure).

I think the fix should be to inherit from the domain section (as it happens with debug_level),

Please, open a ticket upstream.

 

Spike

On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov <atikhono@redhat.com> wrote:

On Wed, Jul 24, 2024 at 5:20 PM Spike White <spikewhitetx@gmail.com> wrote:

Alexey,

Thank you for responding.

This occurs on RHEL8 and 9, but not on RHEL7.    RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64

RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..

On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5).  But RHEL7 is ok.

On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections.  Yet we see this backtrace in /var/log/sssd/krb5_child.log.  Is there another section of sssd.conf in which we should be setting this?

ldap_/krb5_child "inherit" debug settings from [domain/...] section.

 

Spike

On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov <atikhono@redhat.com> wrote:

Hi,

what SSSD version is this?

I think it should be fixed by https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus in SSSD 2.9.5+

On an older version you can consider setting 'debug_backtrace_enabled = false'

On Tue, Jul 23, 2024 at 9:37 PM Spike White <spikewhitetx@gmail.com> wrote:

All,

This is not a problem.  But it is annoying;  how do I make it go away?

Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:

 

(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.

(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.

(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]

********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): [RID#27336] krb5_child started.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x1000): [RID#27336] total buffer size: [92]

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [AdmSpike_White@AMER.COMPANY.COM]

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] (0x0100): [RID#27336] Not using FAST.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] (0x0200): [RID#27336] Trying to become user [2025431][2025431].

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): [RID#27336] Running as [2025431][2025431].

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime requested.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): [RID#27336] Will perform pre-auth

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] (0x1000): [RID#27336] Attempting to get a TGT

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt] (0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder] (0x4000): [RID#27336] Got question [password].

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White\@AMER.COMPANY.COM@AMER.COMPANY.COM].

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]

********************** BACKTRACE DUMP ENDS HERE *********************************

 

(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.

 

We’re ok with the krb5_validate message.    We set:

krb5_validate = False

in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.

So we’re comfortable with that one line of logging.  It’s all the rest of the logging that we’d prefer not to see.

How do we suppress them or eradicate the underlying condition that leads to them appearing?

Here is our sssd.conf file.

[nss]

debug_backtrace_enabled = false

#debug_level = 9

filter_groups = root mfe bladelogic_linux_users@amer.company.com  bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle

filter_users = root  mfe oracle

 

[sssd]

debug_backtrace_enabled = false

#debug_level = 9

domains = amer.company.com

domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com

config_file_version = 2

services = nss,pam,ifp

reconnection_retries = 3

full_name_format = %1$s

 

[pam]

pam_verbosity = 3

#debug_level = 9

offline_credentials_expiration = 3

 

[ifp]

#debug_level = 9

 

[domain/amer.company.com]

filter_groups = root mfe bladelogic_linux_users oracle

sudo_provider = none

debug_backtrace_enabled = false

#debug_level = 9

ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com

ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com

# If you enable ignore_group_members, it gives a small perf win, but then

# "getent group XXX" shows no members.  Perf win not worth the lack of

# diagnostics.

#ignore_group_members = true

id_provider = ad

access_provider = simple

auth_provider = ad

default_shell = /bin/bash

ldap_id_mapping = False

auto_private_groups = True

realmd_tags = joined-with-adcli

cache_credentials = True

 

# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).

#krb5_store_password_if_offline = True

fallback_homedir = /home/%u

ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM

dyndns_update = False

# Using tokengroups is usually a speed optimization

#ldap_use_tokengroups = False

ldap_search_base = dc=AMER,dc=COMPANY,dc=COM

ldap_force_upper_case_realm = True

# Set to False, because KVNO of host principal gets out of sync between

# AD and /etc/krb5.keytab file frequently.

krb5_validate = False

simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng

simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle

 

# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html

[domain/amer.company.com/company.com]

ldap_search_base = dc=COMPANY,dc=COM

 

[domain/amer.company.com/apac.company.com]

ldap_search_base = dc=APAC,dc=COMPANY,dc=COM

 

[domain/amer.company.com/emea.company.com]

ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM

 

[domain/amer.company.com/japn.company.com]

ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue