All,
This is not a problem. But it is annoying; how do I make it go away?
Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:
(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): [RID#27336] krb5_child started.
* (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x1000): [RID#27336] total buffer size: [92]
* (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [ AdmSpike_White@AMER.COMPANY.COM]
* (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]
* (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one
* (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
* (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab
* (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] (0x0100): [RID#27336] Not using FAST.
* (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] (0x0200): [RID#27336] Trying to become user [2025431][2025431].
* (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): [RID#27336] Running as [2025431][2025431].
* (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime requested.
* (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested.
* (2024-07-23 14:14:10): [krb5_child[970533]] [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]
* (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): [RID#27336] Will perform pre-auth
* (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] (0x1000): [RID#27336] Attempting to get a TGT
* (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt] (0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]
* (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder] (0x4000): [RID#27336] Got question [password].
* (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
* (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White@ AMER.COMPANY.COM@AMER.COMPANY.COM].
* (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.
* (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
We’re ok with the krb5_validate message. We set:
krb5_validate = False
in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.
So we’re comfortable with that one line of logging. It’s all the rest of the logging that we’d prefer not to see.
How do we suppress them or eradicate the underlying condition that leads to them appearing?
Here is our sssd.conf file.
[nss]
debug_backtrace_enabled = false
#debug_level = 9
filter_groups = root mfe bladelogic_linux_users@amer.company.com bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle
filter_users = root mfe oracle
[sssd]
debug_backtrace_enabled = false
#debug_level = 9
domains = amer.company.com
domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com
config_file_version = 2
services = nss,pam,ifp
reconnection_retries = 3
full_name_format = %1$s
[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3
[ifp]
#debug_level = 9
[domain/amer.company.com]
filter_groups = root mfe bladelogic_linux_users oracle
sudo_provider = none
debug_backtrace_enabled = false
#debug_level = 9
ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com
ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com
# If you enable ignore_group_members, it gives a small perf win, but then
# "getent group XXX" shows no members. Perf win not worth the lack of
# diagnostics.
#ignore_group_members = true
id_provider = ad
access_provider = simple
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = False
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
#krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM
dyndns_update = False
# Using tokengroups is usually a speed optimization
#ldap_use_tokengroups = False
ldap_search_base = dc=AMER,dc=COMPANY,dc=COM
ldap_force_upper_case_realm = True
# Set to False, because KVNO of host principal gets out of sync between
# AD and /etc/krb5.keytab file frequently.
krb5_validate = False
simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng
simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/amer.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/amer.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/amer.company.com/emea.company.com]
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
[domain/amer.company.com/japn.company.com]
ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM