All,

This is not a problem.  But it is annoying;  how do I make it go away?

Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:

 

(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.

(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.

(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]

********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): [RID#27336] krb5_child started.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x1000): [RID#27336] total buffer size: [92]

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [AdmSpike_White@AMER.COMPANY.COM]

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] (0x0100): [RID#27336] Not using FAST.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] (0x0200): [RID#27336] Trying to become user [2025431][2025431].

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): [RID#27336] Running as [2025431][2025431].

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime requested.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): [RID#27336] Will perform pre-auth

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] (0x1000): [RID#27336] Attempting to get a TGT

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt] (0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder] (0x4000): [RID#27336] Got question [password].

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White\@AMER.COMPANY.COM@AMER.COMPANY.COM].

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.

   *  (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]

********************** BACKTRACE DUMP ENDS HERE *********************************

 

(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.

 

We’re ok with the krb5_validate message.    We set:

krb5_validate = False

in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.

So we’re comfortable with that one line of logging.  It’s all the rest of the logging that we’d prefer not to see.

How do we suppress them or eradicate the underlying condition that leads to them appearing?

Here is our sssd.conf file.

[nss]

debug_backtrace_enabled = false

#debug_level = 9

filter_groups = root mfe bladelogic_linux_users@amer.company.com  bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle

filter_users = root  mfe oracle

 

[sssd]

debug_backtrace_enabled = false

#debug_level = 9

domains = amer.company.com

domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com

config_file_version = 2

services = nss,pam,ifp

reconnection_retries = 3

full_name_format = %1$s

 

[pam]

pam_verbosity = 3

#debug_level = 9

offline_credentials_expiration = 3

 

[ifp]

#debug_level = 9

 

[domain/amer.company.com]

filter_groups = root mfe bladelogic_linux_users oracle

sudo_provider = none

debug_backtrace_enabled = false

#debug_level = 9

ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com

ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com

# If you enable ignore_group_members, it gives a small perf win, but then

# "getent group XXX" shows no members.  Perf win not worth the lack of

# diagnostics.

#ignore_group_members = true

id_provider = ad

access_provider = simple

auth_provider = ad

default_shell = /bin/bash

ldap_id_mapping = False

auto_private_groups = True

realmd_tags = joined-with-adcli

cache_credentials = True

 

# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).

#krb5_store_password_if_offline = True

fallback_homedir = /home/%u

ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM

dyndns_update = False

# Using tokengroups is usually a speed optimization

#ldap_use_tokengroups = False

ldap_search_base = dc=AMER,dc=COMPANY,dc=COM

ldap_force_upper_case_realm = True

# Set to False, because KVNO of host principal gets out of sync between

# AD and /etc/krb5.keytab file frequently.

krb5_validate = False

simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng

simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle

 

# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html

[domain/amer.company.com/company.com]

ldap_search_base = dc=COMPANY,dc=COM

 

[domain/amer.company.com/apac.company.com]

ldap_search_base = dc=APAC,dc=COMPANY,dc=COM

 

[domain/amer.company.com/emea.company.com]

ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM

 

[domain/amer.company.com/japn.company.com]

ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM