On Thu, Jul 25, 2024 at 6:19 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
It took a while, but I have sssd-*-2.9.4.el9.x86_64 installed on a test RHEL9 server. Now when a user logs in, I get just this in /var/log/sssd/krb5_child.log:
(2024-07-25 12:11:46): [krb5_child[89771]] [main] (0x3f7c0): [RID#6] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped. (2024-07-25 12:11:46): [krb5_child[89772]] [main] (0x3f7c0): [RID#7] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
Which is normal. So -- sssd version 2.9.5 fixes this.
Thank you for testing.
BTW on this RHEL9 test server -- debug_backtrace_enabled is not set in this /etc/sssd/sssd.conf file (so it takes default of 'true').
As far as standard RHEL8 & 9 sssd version 2.9.4-xxx, I'd rather not set debug_level = 0. I'd rather just wait for this bug fix.
While RHEL9 should eventually get sssd-2.9.5+ (or even sssd-2.10), RHEL8 probably won't... i.e. fixing this in RHEL8 would require pulling https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 explicitly...
Spike
On Thu, Jul 25, 2024 at 5:37 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 11:44 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
I have submitted Redhat case 03886211 https://access.redhat.com/support/cases/#/case/03886211 on this.
Thank you.
Just to clarify - there are 2 different issues:
(1) wrong log level used / excessive logging: I believe it's fixed in sssd-2.9.5. It would be great if you could test it using C9S package: https://composes.stream.centos.org/development/latest-CentOS-Stream/compose/...
(2) there is no way to configure 'debug_backtrace_enabled' for child processes: I opened https://github.com/SSSD/sssd/issues/7510 for this issue
Meanwhile, if those backtraces are too irritating, you can consider setting `debug_level = 0` in the domain section (but, of course, this will suppress almost all debugging).
Thank you, Spike
On Wed, Jul 24, 2024 at 1:04 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 6:29 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
No, you've found a bug - there is no way to configure 'debug_backtrace_enabled' for child processes (may be with the exception of proxy_child, not sure). I think the fix should be to inherit from the domain section (as it happens with debug_level), Please, open a ticket upstream.
Spike
On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
> Alexey, > > Thank you for responding. > > This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version > 1.16.5-xxxx.el7_9.xxx.x86_64 > > RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and > 2.9.4-xxx.el9_4.x86_64.. > > On RHEL7 we don't have 'debug_backtrace_enabled = false' set > (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok. > > On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the > [nss] and [sssd] sections. Yet we see this backtrace in > /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in > which we should be setting this? >
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
> Spike > > On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com > wrote: > >> Hi, >> >> what SSSD version is this? >> >> I think it should be fixed by >> https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and >> thus in SSSD 2.9.5+ >> On an older version you can consider setting >> 'debug_backtrace_enabled = false' >> >> >> On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com >> wrote: >> >>> All, >>> >>> This is not a problem. But it is annoying; how do I make it go >>> away? >>> >>> >>> Every time any user logs into any of our Linux servers, we get >>> these messages in the /var/log/sssd/krb5_child.log file: >>> >>> >>> >>> (2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): >>> [RID#26239] PAC check is requested but krb5_validate is set to false. PAC >>> checks will be skipped. >>> >>> (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): >>> [RID#27336] PAC check is requested but krb5_validate is set to false. PAC >>> checks will be skipped. >>> >>> (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >>> [-1765328174][Pre-authentication failed: Cannot read password] >>> >>> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE >>> FOLLOWING BACKTRACE: >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >>> [RID#27336] krb5_child started. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>> (0x1000): [RID#27336] total buffer size: [92] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>> (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] >>> validate [false] enterprise principal [true] offline [false] UPN [ >>> AdmSpike_White@AMER.COMPANY.COM] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>> (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for >>> domain, looking for default one >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: >>> FILE:/etc/krb5.keytab >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: >>> /etc/krb5.keytab >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] >>> (0x0100): [RID#27336] Not using FAST. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] >>> (0x0200): [RID#27336] Trying to become user [2025431][2025431]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): >>> [RID#27336] Running as [2025431][2025431]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime >>> requested. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to >>> [true] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >>> [RID#27336] Will perform pre-auth >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] >>> (0x1000): [RID#27336] Attempting to get a TGT >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [get_and_save_tgt] (0x0400): [RID#27336] Attempting kinit for realm [ >>> AMER.COMPANY.COM] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_responder] (0x4000): [RID#27336] Got question [password]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] >>> banner [(null)] num_prompts [1] EINVAL. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for >>> AdmSpike_White@AMER.COMPANY.COM@AMER.COMPANY.COM]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for >>> password prompts by SSSD. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >>> [-1765328174][Pre-authentication failed: Cannot read password] >>> >>> ********************** BACKTRACE DUMP ENDS HERE >>> ********************************* >>> >>> >>> >>> (2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): >>> [RID#27337] PAC check is requested but krb5_validate is set to false. PAC >>> checks will be skipped. >>> >>> >>> >>> We’re ok with the krb5_validate message. We set: >>> >>> >>> krb5_validate = False >>> >>> >>> in /etc/sssd/sssd.conf file because KVNO of host principal gets >>> out of sync between AD and /etc/krb5.keytab file frequently. >>> >>> >>> So we’re comfortable with that one line of logging. It’s all the >>> rest of the logging that we’d prefer not to see. >>> >>> >>> How do we suppress them or eradicate the underlying condition that >>> leads to them appearing? >>> >>> >>> Here is our sssd.conf file. >>> >>> >>> [nss] >>> >>> debug_backtrace_enabled = false >>> >>> #debug_level = 9 >>> >>> filter_groups = root mfe bladelogic_linux_users@amer.company.com >>> bladelogic_linux_users@emea.company.com >>> bladelogic_linux_users@apac.company.com >>> bladelogic_linux_users@japn.company.com >>> bladelogic_linux_users@company.com oracle >>> >>> filter_users = root mfe oracle >>> >>> >>> >>> [sssd] >>> >>> debug_backtrace_enabled = false >>> >>> #debug_level = 9 >>> >>> domains = amer.company.com >>> >>> domain_resolution_order = amer.company.com, emea.company.com, >>> apac.company.com, japn.company.com, company.com >>> >>> config_file_version = 2 >>> >>> services = nss,pam,ifp >>> >>> reconnection_retries = 3 >>> >>> full_name_format = %1$s >>> >>> >>> >>> [pam] >>> >>> pam_verbosity = 3 >>> >>> #debug_level = 9 >>> >>> offline_credentials_expiration = 3 >>> >>> >>> >>> [ifp] >>> >>> #debug_level = 9 >>> >>> >>> >>> [domain/amer.company.com] >>> >>> filter_groups = root mfe bladelogic_linux_users oracle >>> >>> sudo_provider = none >>> >>> debug_backtrace_enabled = false >>> >>> #debug_level = 9 >>> >>> ad_enabled_domains = company.com, amer.company.com, >>> apac.company.com, emea.company.com, japn.company.com >>> >>> ad_enabled_domains = amer.company.com, apac.company.com, >>> emea.company.com, japn.company.com, company.com >>> >>> # If you enable ignore_group_members, it gives a small perf win, >>> but then >>> >>> # "getent group XXX" shows no members. Perf win not worth the >>> lack of >>> >>> # diagnostics. >>> >>> #ignore_group_members = true >>> >>> id_provider = ad >>> >>> access_provider = simple >>> >>> auth_provider = ad >>> >>> default_shell = /bin/bash >>> >>> ldap_id_mapping = False >>> >>> auto_private_groups = True >>> >>> realmd_tags = joined-with-adcli >>> >>> cache_credentials = True >>> >>> >>> >>> # Not set to true; Passwords stored in this way are kept in >>> plaintext in the kernel keyring and are potentially accessible by the root >>> user (with difficulty). >>> >>> #krb5_store_password_if_offline = True >>> >>> fallback_homedir = /home/%u >>> >>> ldap_sasl_authid = host/ >>> austgcore17.us.company.com@AMER.COMPANY.COM >>> >>> dyndns_update = False >>> >>> # Using tokengroups is usually a speed optimization >>> >>> #ldap_use_tokengroups = False >>> >>> ldap_search_base = dc=AMER,dc=COMPANY,dc=COM >>> >>> ldap_force_upper_case_realm = True >>> >>> # Set to False, because KVNO of host principal gets out of sync >>> between >>> >>> # AD and /etc/krb5.keytab file frequently. >>> >>> krb5_validate = False >>> >>> simple_allow_groups = amerlinuxsup@amer.company.com, >>> amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, >>> emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, >>> apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, >>> bladelogic_linux_users@amer.company.com, >>> PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, >>> pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, >>> scheduling_global@amer.company.com, engit-ebpa@amer.company.com, >>> amerlinuxengtfssupt@amer.company.com, >>> amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, >>> fnms_ops@amer.company.com, zabbix-support@amer.company.com, >>> globalinfosecopsadm@amer.company.com, >>> prd-amer-fnmsopspac@amer.company.com, amerlinuxeng >>> >>> simple_allow_users = processehcprofiler@amer.company.com, >>> svc_prdautovm@amer.company.com, processfoglight@amer.company.com, >>> svc_prdprofoglight01@amer.company.com, >>> service_ome_linux@amer.company.com, >>> svc_prdesquadscounix@apac.company.com, >>> serviceunixinstall@amer.company.com, admspike_white, oracle >>> >>> >>> >>> # look at >>> https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html >>> >>> [domain/amer.company.com/company.com] >>> >>> ldap_search_base = dc=COMPANY,dc=COM >>> >>> >>> >>> [domain/amer.company.com/apac.company.com] >>> >>> ldap_search_base = dc=APAC,dc=COMPANY,dc=COM >>> >>> >>> >>> [domain/amer.company.com/emea.company.com] >>> >>> ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM >>> >>> >>> >>> [domain/amer.company.com/japn.company.com] >>> >>> ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM >>> -- >>> _______________________________________________ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> sssd-users-leave@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> -- >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to >> sssd-users-leave@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to > sssd-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
>
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue