All,
This is not a problem. But it is annoying; how do I make it go away?
Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:
(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): [RID#27336] krb5_child started.
* (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x1000): [RID#27336] total buffer size: [92]
* (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [ AdmSpike_White@AMER.COMPANY.COM]
* (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]
* (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one
* (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
* (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab
* (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] (0x0100): [RID#27336] Not using FAST.
* (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] (0x0200): [RID#27336] Trying to become user [2025431][2025431].
* (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): [RID#27336] Running as [2025431][2025431].
* (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime requested.
* (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested.
* (2024-07-23 14:14:10): [krb5_child[970533]] [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]
* (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): [RID#27336] Will perform pre-auth
* (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] (0x1000): [RID#27336] Attempting to get a TGT
* (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt] (0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]
* (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder] (0x4000): [RID#27336] Got question [password].
* (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
* (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White@ AMER.COMPANY.COM@AMER.COMPANY.COM].
* (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.
* (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
We’re ok with the krb5_validate message. We set:
krb5_validate = False
in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.
So we’re comfortable with that one line of logging. It’s all the rest of the logging that we’d prefer not to see.
How do we suppress them or eradicate the underlying condition that leads to them appearing?
Here is our sssd.conf file.
[nss]
debug_backtrace_enabled = false
#debug_level = 9
filter_groups = root mfe bladelogic_linux_users@amer.company.com bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle
filter_users = root mfe oracle
[sssd]
debug_backtrace_enabled = false
#debug_level = 9
domains = amer.company.com
domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com
config_file_version = 2
services = nss,pam,ifp
reconnection_retries = 3
full_name_format = %1$s
[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3
[ifp]
#debug_level = 9
[domain/amer.company.com]
filter_groups = root mfe bladelogic_linux_users oracle
sudo_provider = none
debug_backtrace_enabled = false
#debug_level = 9
ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com
ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com
# If you enable ignore_group_members, it gives a small perf win, but then
# "getent group XXX" shows no members. Perf win not worth the lack of
# diagnostics.
#ignore_group_members = true
id_provider = ad
access_provider = simple
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = False
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
#krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM
dyndns_update = False
# Using tokengroups is usually a speed optimization
#ldap_use_tokengroups = False
ldap_search_base = dc=AMER,dc=COMPANY,dc=COM
ldap_force_upper_case_realm = True
# Set to False, because KVNO of host principal gets out of sync between
# AD and /etc/krb5.keytab file frequently.
krb5_validate = False
simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng
simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/amer.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/amer.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/amer.company.com/emea.company.com]
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
[domain/amer.company.com/japn.company.com]
ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM
Hi,
what SSSD version is this?
I think it should be fixed by https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus in SSSD 2.9.5+ On an older version you can consider setting 'debug_backtrace_enabled = false'
On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com wrote:
All,
This is not a problem. But it is annoying; how do I make it go away?
Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:
(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] krb5_child started.
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x1000): [RID#27336] total buffer size: [92]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [ AdmSpike_White@AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast]
(0x0100): [RID#27336] Not using FAST.
- (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] (0x0200):
[RID#27336] Trying to become user [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000):
[RID#27336] Running as [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options]
(0x0100): [RID#27336] No specific renewable lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options]
(0x0100): [RID#27336] No specific lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] Will perform pre-auth
- (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child]
(0x1000): [RID#27336] Attempting to get a TGT
- (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt]
(0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder]
(0x4000): [RID#27336] Got question [password].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White@ AMER.COMPANY.COM@AMER.COMPANY.COM].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** BACKTRACE DUMP ENDS HERE
(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
We’re ok with the krb5_validate message. We set:
krb5_validate = False
in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.
So we’re comfortable with that one line of logging. It’s all the rest of the logging that we’d prefer not to see.
How do we suppress them or eradicate the underlying condition that leads to them appearing?
Here is our sssd.conf file.
[nss]
debug_backtrace_enabled = false
#debug_level = 9
filter_groups = root mfe bladelogic_linux_users@amer.company.com bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle
filter_users = root mfe oracle
[sssd]
debug_backtrace_enabled = false
#debug_level = 9
domains = amer.company.com
domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com
config_file_version = 2
services = nss,pam,ifp
reconnection_retries = 3
full_name_format = %1$s
[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3
[ifp]
#debug_level = 9
[domain/amer.company.com]
filter_groups = root mfe bladelogic_linux_users oracle
sudo_provider = none
debug_backtrace_enabled = false
#debug_level = 9
ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com
ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com
# If you enable ignore_group_members, it gives a small perf win, but then
# "getent group XXX" shows no members. Perf win not worth the lack of
# diagnostics.
#ignore_group_members = true
id_provider = ad
access_provider = simple
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = False
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
#krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM
dyndns_update = False
# Using tokengroups is usually a speed optimization
#ldap_use_tokengroups = False
ldap_search_base = dc=AMER,dc=COMPANY,dc=COM
ldap_force_upper_case_realm = True
# Set to False, because KVNO of host principal gets out of sync between
# AD and /etc/krb5.keytab file frequently.
krb5_validate = False
simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng
simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/amer.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/amer.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/amer.company.com/emea.company.com]
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
[domain/amer.company.com/japn.company.com]
ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Alexey,
Thank you for responding.
This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64
RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..
On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok.
On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections. Yet we see this backtrace in /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in which we should be setting this?
Spike
On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com wrote:
Hi,
what SSSD version is this?
I think it should be fixed by https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus in SSSD 2.9.5+ On an older version you can consider setting 'debug_backtrace_enabled = false'
On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com wrote:
All,
This is not a problem. But it is annoying; how do I make it go away?
Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:
(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] krb5_child started.
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x1000): [RID#27336] total buffer size: [92]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [ AdmSpike_White@AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast]
(0x0100): [RID#27336] Not using FAST.
- (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] (0x0200):
[RID#27336] Trying to become user [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000):
[RID#27336] Running as [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options]
(0x0100): [RID#27336] No specific renewable lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options]
(0x0100): [RID#27336] No specific lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] Will perform pre-auth
- (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child]
(0x1000): [RID#27336] Attempting to get a TGT
- (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt]
(0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder]
(0x4000): [RID#27336] Got question [password].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White@ AMER.COMPANY.COM@AMER.COMPANY.COM].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** BACKTRACE DUMP ENDS HERE
(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
We’re ok with the krb5_validate message. We set:
krb5_validate = False
in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.
So we’re comfortable with that one line of logging. It’s all the rest of the logging that we’d prefer not to see.
How do we suppress them or eradicate the underlying condition that leads to them appearing?
Here is our sssd.conf file.
[nss]
debug_backtrace_enabled = false
#debug_level = 9
filter_groups = root mfe bladelogic_linux_users@amer.company.com bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle
filter_users = root mfe oracle
[sssd]
debug_backtrace_enabled = false
#debug_level = 9
domains = amer.company.com
domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com
config_file_version = 2
services = nss,pam,ifp
reconnection_retries = 3
full_name_format = %1$s
[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3
[ifp]
#debug_level = 9
[domain/amer.company.com]
filter_groups = root mfe bladelogic_linux_users oracle
sudo_provider = none
debug_backtrace_enabled = false
#debug_level = 9
ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com
ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com
# If you enable ignore_group_members, it gives a small perf win, but then
# "getent group XXX" shows no members. Perf win not worth the lack of
# diagnostics.
#ignore_group_members = true
id_provider = ad
access_provider = simple
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = False
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
#krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM
dyndns_update = False
# Using tokengroups is usually a speed optimization
#ldap_use_tokengroups = False
ldap_search_base = dc=AMER,dc=COMPANY,dc=COM
ldap_force_upper_case_realm = True
# Set to False, because KVNO of host principal gets out of sync between
# AD and /etc/krb5.keytab file frequently.
krb5_validate = False
simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng
simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/amer.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/amer.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/amer.company.com/emea.company.com]
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
[domain/amer.company.com/japn.company.com]
ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Thank you for responding.
This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64
RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..
On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok.
On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections. Yet we see this backtrace in /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in which we should be setting this?
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
Spike
On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com wrote:
Hi,
what SSSD version is this?
I think it should be fixed by https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus in SSSD 2.9.5+ On an older version you can consider setting 'debug_backtrace_enabled = false'
On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com wrote:
All,
This is not a problem. But it is annoying; how do I make it go away?
Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:
(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] krb5_child started.
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x1000): [RID#27336] total buffer size: [92]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [ AdmSpike_White@AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast]
(0x0100): [RID#27336] Not using FAST.
- (2024-07-23 14:14:10): [krb5_child[970533]] [become_user]
(0x0200): [RID#27336] Trying to become user [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000):
[RID#27336] Running as [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options]
(0x0100): [RID#27336] No specific renewable lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options]
(0x0100): [RID#27336] No specific lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] Will perform pre-auth
- (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child]
(0x1000): [RID#27336] Attempting to get a TGT
- (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt]
(0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder]
(0x4000): [RID#27336] Got question [password].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White@ AMER.COMPANY.COM@AMER.COMPANY.COM].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** BACKTRACE DUMP ENDS HERE
(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
We’re ok with the krb5_validate message. We set:
krb5_validate = False
in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.
So we’re comfortable with that one line of logging. It’s all the rest of the logging that we’d prefer not to see.
How do we suppress them or eradicate the underlying condition that leads to them appearing?
Here is our sssd.conf file.
[nss]
debug_backtrace_enabled = false
#debug_level = 9
filter_groups = root mfe bladelogic_linux_users@amer.company.com bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle
filter_users = root mfe oracle
[sssd]
debug_backtrace_enabled = false
#debug_level = 9
domains = amer.company.com
domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com
config_file_version = 2
services = nss,pam,ifp
reconnection_retries = 3
full_name_format = %1$s
[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3
[ifp]
#debug_level = 9
[domain/amer.company.com]
filter_groups = root mfe bladelogic_linux_users oracle
sudo_provider = none
debug_backtrace_enabled = false
#debug_level = 9
ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com
ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com
# If you enable ignore_group_members, it gives a small perf win, but then
# "getent group XXX" shows no members. Perf win not worth the lack of
# diagnostics.
#ignore_group_members = true
id_provider = ad
access_provider = simple
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = False
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
#krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM
dyndns_update = False
# Using tokengroups is usually a speed optimization
#ldap_use_tokengroups = False
ldap_search_base = dc=AMER,dc=COMPANY,dc=COM
ldap_force_upper_case_realm = True
# Set to False, because KVNO of host principal gets out of sync between
# AD and /etc/krb5.keytab file frequently.
krb5_validate = False
simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng
simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/amer.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/amer.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/amer.company.com/emea.company.com]
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
[domain/amer.company.com/japn.company.com]
ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
Spike
On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Thank you for responding.
This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64
RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..
On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok.
On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections. Yet we see this backtrace in /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in which we should be setting this?
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
Spike
On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com wrote:
Hi,
what SSSD version is this?
I think it should be fixed by https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus in SSSD 2.9.5+ On an older version you can consider setting 'debug_backtrace_enabled = false'
On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com wrote:
All,
This is not a problem. But it is annoying; how do I make it go away?
Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:
(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] krb5_child started.
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x1000): [RID#27336] total buffer size: [92]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [ AdmSpike_White@AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast]
(0x0100): [RID#27336] Not using FAST.
- (2024-07-23 14:14:10): [krb5_child[970533]] [become_user]
(0x0200): [RID#27336] Trying to become user [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000):
[RID#27336] Running as [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] Will perform pre-auth
- (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child]
(0x1000): [RID#27336] Attempting to get a TGT
- (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt]
(0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder]
(0x4000): [RID#27336] Got question [password].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White@ AMER.COMPANY.COM@AMER.COMPANY.COM].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** BACKTRACE DUMP ENDS HERE
(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
We’re ok with the krb5_validate message. We set:
krb5_validate = False
in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.
So we’re comfortable with that one line of logging. It’s all the rest of the logging that we’d prefer not to see.
How do we suppress them or eradicate the underlying condition that leads to them appearing?
Here is our sssd.conf file.
[nss]
debug_backtrace_enabled = false
#debug_level = 9
filter_groups = root mfe bladelogic_linux_users@amer.company.com bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle
filter_users = root mfe oracle
[sssd]
debug_backtrace_enabled = false
#debug_level = 9
domains = amer.company.com
domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com
config_file_version = 2
services = nss,pam,ifp
reconnection_retries = 3
full_name_format = %1$s
[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3
[ifp]
#debug_level = 9
[domain/amer.company.com]
filter_groups = root mfe bladelogic_linux_users oracle
sudo_provider = none
debug_backtrace_enabled = false
#debug_level = 9
ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com
ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com
# If you enable ignore_group_members, it gives a small perf win, but then
# "getent group XXX" shows no members. Perf win not worth the lack of
# diagnostics.
#ignore_group_members = true
id_provider = ad
access_provider = simple
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = False
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
#krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM
dyndns_update = False
# Using tokengroups is usually a speed optimization
#ldap_use_tokengroups = False
ldap_search_base = dc=AMER,dc=COMPANY,dc=COM
ldap_force_upper_case_realm = True
# Set to False, because KVNO of host principal gets out of sync between
# AD and /etc/krb5.keytab file frequently.
krb5_validate = False
simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng
simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/amer.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/amer.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/amer.company.com/emea.company.com]
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
[domain/amer.company.com/japn.company.com]
ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Alexey,
This seems related to Excessive SSSD backtrace log messages - Red Hat Customer Portal https://access.redhat.com/solutions/6591751
except this is occurring in /var/log/sssd/krb5_child.log instead of /var/log/sssd/sssd_*.log file.
Spike
On Wed, Jul 24, 2024 at 11:04 AM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
Spike
On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Thank you for responding.
This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64
RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..
On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok.
On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections. Yet we see this backtrace in /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in which we should be setting this?
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
Spike
On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com wrote:
Hi,
what SSSD version is this?
I think it should be fixed by https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus in SSSD 2.9.5+ On an older version you can consider setting 'debug_backtrace_enabled = false'
On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com wrote:
All,
This is not a problem. But it is annoying; how do I make it go away?
Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:
(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] krb5_child started.
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x1000): [RID#27336] total buffer size: [92]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [ AdmSpike_White@AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast]
(0x0100): [RID#27336] Not using FAST.
- (2024-07-23 14:14:10): [krb5_child[970533]] [become_user]
(0x0200): [RID#27336] Trying to become user [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000):
[RID#27336] Running as [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] Will perform pre-auth
- (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child]
(0x1000): [RID#27336] Attempting to get a TGT
- (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt]
(0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder]
(0x4000): [RID#27336] Got question [password].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White@ AMER.COMPANY.COM@AMER.COMPANY.COM].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** BACKTRACE DUMP ENDS HERE
(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
We’re ok with the krb5_validate message. We set:
krb5_validate = False
in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.
So we’re comfortable with that one line of logging. It’s all the rest of the logging that we’d prefer not to see.
How do we suppress them or eradicate the underlying condition that leads to them appearing?
Here is our sssd.conf file.
[nss]
debug_backtrace_enabled = false
#debug_level = 9
filter_groups = root mfe bladelogic_linux_users@amer.company.com bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle
filter_users = root mfe oracle
[sssd]
debug_backtrace_enabled = false
#debug_level = 9
domains = amer.company.com
domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com
config_file_version = 2
services = nss,pam,ifp
reconnection_retries = 3
full_name_format = %1$s
[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3
[ifp]
#debug_level = 9
[domain/amer.company.com]
filter_groups = root mfe bladelogic_linux_users oracle
sudo_provider = none
debug_backtrace_enabled = false
#debug_level = 9
ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com
ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com
# If you enable ignore_group_members, it gives a small perf win, but then
# "getent group XXX" shows no members. Perf win not worth the lack of
# diagnostics.
#ignore_group_members = true
id_provider = ad
access_provider = simple
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = False
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
#krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM
dyndns_update = False
# Using tokengroups is usually a speed optimization
#ldap_use_tokengroups = False
ldap_search_base = dc=AMER,dc=COMPANY,dc=COM
ldap_force_upper_case_realm = True
# Set to False, because KVNO of host principal gets out of sync between
# AD and /etc/krb5.keytab file frequently.
krb5_validate = False
simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng
simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/amer.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/amer.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/amer.company.com/emea.company.com]
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
[domain/amer.company.com/japn.company.com]
ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Wed, Jul 24, 2024 at 6:29 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
No, you've found a bug - there is no way to configure 'debug_backtrace_enabled' for child processes (may be with the exception of proxy_child, not sure). I think the fix should be to inherit from the domain section (as it happens with debug_level), Please, open a ticket upstream.
Spike
On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Thank you for responding.
This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64
RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..
On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok.
On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections. Yet we see this backtrace in /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in which we should be setting this?
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
Spike
On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com wrote:
Hi,
what SSSD version is this?
I think it should be fixed by https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus in SSSD 2.9.5+ On an older version you can consider setting 'debug_backtrace_enabled = false'
On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com wrote:
All,
This is not a problem. But it is annoying; how do I make it go away?
Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:
(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] krb5_child started.
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x1000): [RID#27336] total buffer size: [92]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [ AdmSpike_White@AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast]
(0x0100): [RID#27336] Not using FAST.
- (2024-07-23 14:14:10): [krb5_child[970533]] [become_user]
(0x0200): [RID#27336] Trying to become user [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000):
[RID#27336] Running as [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] Will perform pre-auth
- (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child]
(0x1000): [RID#27336] Attempting to get a TGT
- (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt]
(0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder]
(0x4000): [RID#27336] Got question [password].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White@ AMER.COMPANY.COM@AMER.COMPANY.COM].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** BACKTRACE DUMP ENDS HERE
(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
We’re ok with the krb5_validate message. We set:
krb5_validate = False
in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.
So we’re comfortable with that one line of logging. It’s all the rest of the logging that we’d prefer not to see.
How do we suppress them or eradicate the underlying condition that leads to them appearing?
Here is our sssd.conf file.
[nss]
debug_backtrace_enabled = false
#debug_level = 9
filter_groups = root mfe bladelogic_linux_users@amer.company.com bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle
filter_users = root mfe oracle
[sssd]
debug_backtrace_enabled = false
#debug_level = 9
domains = amer.company.com
domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com
config_file_version = 2
services = nss,pam,ifp
reconnection_retries = 3
full_name_format = %1$s
[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3
[ifp]
#debug_level = 9
[domain/amer.company.com]
filter_groups = root mfe bladelogic_linux_users oracle
sudo_provider = none
debug_backtrace_enabled = false
#debug_level = 9
ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com
ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com
# If you enable ignore_group_members, it gives a small perf win, but then
# "getent group XXX" shows no members. Perf win not worth the lack of
# diagnostics.
#ignore_group_members = true
id_provider = ad
access_provider = simple
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = False
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
#krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM
dyndns_update = False
# Using tokengroups is usually a speed optimization
#ldap_use_tokengroups = False
ldap_search_base = dc=AMER,dc=COMPANY,dc=COM
ldap_force_upper_case_realm = True
# Set to False, because KVNO of host principal gets out of sync between
# AD and /etc/krb5.keytab file frequently.
krb5_validate = False
simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng
simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/amer.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/amer.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/amer.company.com/emea.company.com]
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
[domain/amer.company.com/japn.company.com]
ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Alexey,
I have submitted Redhat case 03886211 https://access.redhat.com/support/cases/#/case/03886211 on this.
Thank you, Spike
On Wed, Jul 24, 2024 at 1:04 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 6:29 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
No, you've found a bug - there is no way to configure 'debug_backtrace_enabled' for child processes (may be with the exception of proxy_child, not sure). I think the fix should be to inherit from the domain section (as it happens with debug_level), Please, open a ticket upstream.
Spike
On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Thank you for responding.
This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64
RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..
On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok.
On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections. Yet we see this backtrace in /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in which we should be setting this?
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
Spike
On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com wrote:
Hi,
what SSSD version is this?
I think it should be fixed by https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus in SSSD 2.9.5+ On an older version you can consider setting 'debug_backtrace_enabled = false'
On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com wrote:
All,
This is not a problem. But it is annoying; how do I make it go away?
Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file:
(2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
(2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] krb5_child started.
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x1000): [RID#27336] total buffer size: [92]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [ AdmSpike_White@AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer]
(0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set]
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name]
(0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab
- (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast]
(0x0100): [RID#27336] Not using FAST.
- (2024-07-23 14:14:10): [krb5_child[970533]] [become_user]
(0x0200): [RID#27336] Trying to become user [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000):
[RID#27336] Running as [2025431][2025431].
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true]
- (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400):
[RID#27336] Will perform pre-auth
- (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child]
(0x1000): [RID#27336] Attempting to get a TGT
- (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt]
(0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM]
- (2024-07-23 14:14:10): [krb5_child[970533]]
[sss_krb5_responder] (0x4000): [RID#27336] Got question [password].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White@ AMER.COMPANY.COM@AMER.COMPANY.COM].
- (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter]
(0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD.
- (2024-07-23 14:14:10): [krb5_child[970533]]
[sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password]
********************** BACKTRACE DUMP ENDS HERE
(2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
We’re ok with the krb5_validate message. We set:
krb5_validate = False
in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently.
So we’re comfortable with that one line of logging. It’s all the rest of the logging that we’d prefer not to see.
How do we suppress them or eradicate the underlying condition that leads to them appearing?
Here is our sssd.conf file.
[nss]
debug_backtrace_enabled = false
#debug_level = 9
filter_groups = root mfe bladelogic_linux_users@amer.company.com bladelogic_linux_users@emea.company.com bladelogic_linux_users@apac.company.com bladelogic_linux_users@japn.company.com bladelogic_linux_users@company.com oracle
filter_users = root mfe oracle
[sssd]
debug_backtrace_enabled = false
#debug_level = 9
domains = amer.company.com
domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com
config_file_version = 2
services = nss,pam,ifp
reconnection_retries = 3
full_name_format = %1$s
[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3
[ifp]
#debug_level = 9
[domain/amer.company.com]
filter_groups = root mfe bladelogic_linux_users oracle
sudo_provider = none
debug_backtrace_enabled = false
#debug_level = 9
ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com
ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com
# If you enable ignore_group_members, it gives a small perf win, but then
# "getent group XXX" shows no members. Perf win not worth the lack of
# diagnostics.
#ignore_group_members = true
id_provider = ad
access_provider = simple
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = False
auto_private_groups = True
realmd_tags = joined-with-adcli
cache_credentials = True
# Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
#krb5_store_password_if_offline = True
fallback_homedir = /home/%u
ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM
dyndns_update = False
# Using tokengroups is usually a speed optimization
#ldap_use_tokengroups = False
ldap_search_base = dc=AMER,dc=COMPANY,dc=COM
ldap_force_upper_case_realm = True
# Set to False, because KVNO of host principal gets out of sync between
# AD and /etc/krb5.keytab file frequently.
krb5_validate = False
simple_allow_groups = amerlinuxsup@amer.company.com, amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, bladelogic_linux_users@amer.company.com, PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, scheduling_global@amer.company.com, engit-ebpa@amer.company.com, amerlinuxengtfssupt@amer.company.com, amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, fnms_ops@amer.company.com, zabbix-support@amer.company.com, globalinfosecopsadm@amer.company.com, prd-amer-fnmsopspac@amer.company.com, amerlinuxeng
simple_allow_users = processehcprofiler@amer.company.com, svc_prdautovm@amer.company.com, processfoglight@amer.company.com, svc_prdprofoglight01@amer.company.com, service_ome_linux@amer.company.com, svc_prdesquadscounix@apac.company.com, serviceunixinstall@amer.company.com, admspike_white, oracle
# look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html
[domain/amer.company.com/company.com]
ldap_search_base = dc=COMPANY,dc=COM
[domain/amer.company.com/apac.company.com]
ldap_search_base = dc=APAC,dc=COMPANY,dc=COM
[domain/amer.company.com/emea.company.com]
ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM
[domain/amer.company.com/japn.company.com]
ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Wed, Jul 24, 2024 at 11:44 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
I have submitted Redhat case 03886211 https://access.redhat.com/support/cases/#/case/03886211 on this.
Thank you.
Just to clarify - there are 2 different issues:
(1) wrong log level used / excessive logging: I believe it's fixed in sssd-2.9.5. It would be great if you could test it using C9S package: https://composes.stream.centos.org/development/latest-CentOS-Stream/compose/...
(2) there is no way to configure 'debug_backtrace_enabled' for child processes: I opened https://github.com/SSSD/sssd/issues/7510 for this issue
Meanwhile, if those backtraces are too irritating, you can consider setting `debug_level = 0` in the domain section (but, of course, this will suppress almost all debugging).
Thank you, Spike
On Wed, Jul 24, 2024 at 1:04 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 6:29 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
No, you've found a bug - there is no way to configure 'debug_backtrace_enabled' for child processes (may be with the exception of proxy_child, not sure). I think the fix should be to inherit from the domain section (as it happens with debug_level), Please, open a ticket upstream.
Spike
On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Thank you for responding.
This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64
RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..
On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok.
On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections. Yet we see this backtrace in /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in which we should be setting this?
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
Spike
On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com wrote:
Hi,
what SSSD version is this?
I think it should be fixed by https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus in SSSD 2.9.5+ On an older version you can consider setting 'debug_backtrace_enabled = false'
On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com wrote:
> All, > > This is not a problem. But it is annoying; how do I make it go > away? > > > Every time any user logs into any of our Linux servers, we get these > messages in the /var/log/sssd/krb5_child.log file: > > > > (2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): > [RID#26239] PAC check is requested but krb5_validate is set to false. PAC > checks will be skipped. > > (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): > [RID#27336] PAC check is requested but krb5_validate is set to false. PAC > checks will be skipped. > > (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: > [-1765328174][Pre-authentication failed: Cannot read password] > > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE > FOLLOWING BACKTRACE: > > * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): > [RID#27336] krb5_child started. > > * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] > (0x1000): [RID#27336] total buffer size: [92] > > * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] > (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] > validate [false] enterprise principal [true] offline [false] UPN [ > AdmSpike_White@AMER.COMPANY.COM] > > * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] > (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set] > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for > domain, looking for default one > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: > FILE:/etc/krb5.keytab > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: > /etc/krb5.keytab > > * (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] > (0x0100): [RID#27336] Not using FAST. > > * (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] > (0x0200): [RID#27336] Trying to become user [2025431][2025431]. > > * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): > [RID#27336] Running as [2025431][2025431]. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime > requested. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to > [true] > > * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): > [RID#27336] Will perform pre-auth > > * (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] > (0x1000): [RID#27336] Attempting to get a TGT > > * (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt] > (0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM] > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_responder] (0x4000): [RID#27336] Got question [password]. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] > banner [(null)] num_prompts [1] EINVAL. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for > AdmSpike_White@AMER.COMPANY.COM@AMER.COMPANY.COM]. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for > password prompts by SSSD. > > * (2024-07-23 14:14:10): [krb5_child[970533]] > [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: > [-1765328174][Pre-authentication failed: Cannot read password] > > ********************** BACKTRACE DUMP ENDS HERE > ********************************* > > > > (2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): > [RID#27337] PAC check is requested but krb5_validate is set to false. PAC > checks will be skipped. > > > > We’re ok with the krb5_validate message. We set: > > > krb5_validate = False > > > in /etc/sssd/sssd.conf file because KVNO of host principal gets out > of sync between AD and /etc/krb5.keytab file frequently. > > > So we’re comfortable with that one line of logging. It’s all the > rest of the logging that we’d prefer not to see. > > > How do we suppress them or eradicate the underlying condition that > leads to them appearing? > > > Here is our sssd.conf file. > > > [nss] > > debug_backtrace_enabled = false > > #debug_level = 9 > > filter_groups = root mfe bladelogic_linux_users@amer.company.com > bladelogic_linux_users@emea.company.com > bladelogic_linux_users@apac.company.com > bladelogic_linux_users@japn.company.com > bladelogic_linux_users@company.com oracle > > filter_users = root mfe oracle > > > > [sssd] > > debug_backtrace_enabled = false > > #debug_level = 9 > > domains = amer.company.com > > domain_resolution_order = amer.company.com, emea.company.com, > apac.company.com, japn.company.com, company.com > > config_file_version = 2 > > services = nss,pam,ifp > > reconnection_retries = 3 > > full_name_format = %1$s > > > > [pam] > > pam_verbosity = 3 > > #debug_level = 9 > > offline_credentials_expiration = 3 > > > > [ifp] > > #debug_level = 9 > > > > [domain/amer.company.com] > > filter_groups = root mfe bladelogic_linux_users oracle > > sudo_provider = none > > debug_backtrace_enabled = false > > #debug_level = 9 > > ad_enabled_domains = company.com, amer.company.com, apac.company.com, > emea.company.com, japn.company.com > > ad_enabled_domains = amer.company.com, apac.company.com, > emea.company.com, japn.company.com, company.com > > # If you enable ignore_group_members, it gives a small perf win, but > then > > # "getent group XXX" shows no members. Perf win not worth the lack > of > > # diagnostics. > > #ignore_group_members = true > > id_provider = ad > > access_provider = simple > > auth_provider = ad > > default_shell = /bin/bash > > ldap_id_mapping = False > > auto_private_groups = True > > realmd_tags = joined-with-adcli > > cache_credentials = True > > > > # Not set to true; Passwords stored in this way are kept in > plaintext in the kernel keyring and are potentially accessible by the root > user (with difficulty). > > #krb5_store_password_if_offline = True > > fallback_homedir = /home/%u > > ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM > > dyndns_update = False > > # Using tokengroups is usually a speed optimization > > #ldap_use_tokengroups = False > > ldap_search_base = dc=AMER,dc=COMPANY,dc=COM > > ldap_force_upper_case_realm = True > > # Set to False, because KVNO of host principal gets out of sync > between > > # AD and /etc/krb5.keytab file frequently. > > krb5_validate = False > > simple_allow_groups = amerlinuxsup@amer.company.com, > amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, > emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, > apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, > bladelogic_linux_users@amer.company.com, > PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, > pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, > scheduling_global@amer.company.com, engit-ebpa@amer.company.com, > amerlinuxengtfssupt@amer.company.com, > amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, > fnms_ops@amer.company.com, zabbix-support@amer.company.com, > globalinfosecopsadm@amer.company.com, > prd-amer-fnmsopspac@amer.company.com, amerlinuxeng > > simple_allow_users = processehcprofiler@amer.company.com, > svc_prdautovm@amer.company.com, processfoglight@amer.company.com, > svc_prdprofoglight01@amer.company.com, > service_ome_linux@amer.company.com, > svc_prdesquadscounix@apac.company.com, > serviceunixinstall@amer.company.com, admspike_white, oracle > > > > # look at > https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html > > [domain/amer.company.com/company.com] > > ldap_search_base = dc=COMPANY,dc=COM > > > > [domain/amer.company.com/apac.company.com] > > ldap_search_base = dc=APAC,dc=COMPANY,dc=COM > > > > [domain/amer.company.com/emea.company.com] > > ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM > > > > [domain/amer.company.com/japn.company.com] > > ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to > sssd-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
>
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Alexey,
It took a while, but I have sssd-*-2.9.4.el9.x86_64 installed on a test RHEL9 server. Now when a user logs in, I get just this in /var/log/sssd/krb5_child.log:
(2024-07-25 12:11:46): [krb5_child[89771]] [main] (0x3f7c0): [RID#6] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped. (2024-07-25 12:11:46): [krb5_child[89772]] [main] (0x3f7c0): [RID#7] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
Which is normal. So -- sssd version 2.9.5 fixes this.
BTW on this RHEL9 test server -- debug_backtrace_enabled is not set in this /etc/sssd/sssd.conf file (so it takes default of 'true').
As far as standard RHEL8 & 9 sssd version 2.9.4-xxx, I'd rather not set debug_level = 0. I'd rather just wait for this bug fix.
Spike
On Thu, Jul 25, 2024 at 5:37 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 11:44 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
I have submitted Redhat case 03886211 https://access.redhat.com/support/cases/#/case/03886211 on this.
Thank you.
Just to clarify - there are 2 different issues:
(1) wrong log level used / excessive logging: I believe it's fixed in sssd-2.9.5. It would be great if you could test it using C9S package: https://composes.stream.centos.org/development/latest-CentOS-Stream/compose/...
(2) there is no way to configure 'debug_backtrace_enabled' for child processes: I opened https://github.com/SSSD/sssd/issues/7510 for this issue
Meanwhile, if those backtraces are too irritating, you can consider setting `debug_level = 0` in the domain section (but, of course, this will suppress almost all debugging).
Thank you, Spike
On Wed, Jul 24, 2024 at 1:04 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 6:29 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
No, you've found a bug - there is no way to configure 'debug_backtrace_enabled' for child processes (may be with the exception of proxy_child, not sure). I think the fix should be to inherit from the domain section (as it happens with debug_level), Please, open a ticket upstream.
Spike
On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Thank you for responding.
This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version 1.16.5-xxxx.el7_9.xxx.x86_64
RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and 2.9.4-xxx.el9_4.x86_64..
On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok.
On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] and [sssd] sections. Yet we see this backtrace in /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in which we should be setting this?
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
Spike
On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com wrote:
> Hi, > > what SSSD version is this? > > I think it should be fixed by > https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and > thus in SSSD 2.9.5+ > On an older version you can consider setting > 'debug_backtrace_enabled = false' > > > On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com > wrote: > >> All, >> >> This is not a problem. But it is annoying; how do I make it go >> away? >> >> >> Every time any user logs into any of our Linux servers, we get >> these messages in the /var/log/sssd/krb5_child.log file: >> >> >> >> (2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): >> [RID#26239] PAC check is requested but krb5_validate is set to false. PAC >> checks will be skipped. >> >> (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): >> [RID#27336] PAC check is requested but krb5_validate is set to false. PAC >> checks will be skipped. >> >> (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >> [-1765328174][Pre-authentication failed: Cannot read password] >> >> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE >> FOLLOWING BACKTRACE: >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >> [RID#27336] krb5_child started. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >> (0x1000): [RID#27336] total buffer size: [92] >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >> (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] >> validate [false] enterprise principal [true] offline [false] UPN [ >> AdmSpike_White@AMER.COMPANY.COM] >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >> (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set] >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for >> domain, looking for default one >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: >> FILE:/etc/krb5.keytab >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: >> /etc/krb5.keytab >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] >> (0x0100): [RID#27336] Not using FAST. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] >> (0x0200): [RID#27336] Trying to become user [2025431][2025431]. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): >> [RID#27336] Running as [2025431][2025431]. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime >> requested. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to >> [true] >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >> [RID#27336] Will perform pre-auth >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] >> (0x1000): [RID#27336] Attempting to get a TGT >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [get_and_save_tgt] (0x0400): [RID#27336] Attempting kinit for realm [ >> AMER.COMPANY.COM] >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_responder] (0x4000): [RID#27336] Got question [password]. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] >> banner [(null)] num_prompts [1] EINVAL. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for >> AdmSpike_White@AMER.COMPANY.COM@AMER.COMPANY.COM]. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for >> password prompts by SSSD. >> >> * (2024-07-23 14:14:10): [krb5_child[970533]] >> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >> [-1765328174][Pre-authentication failed: Cannot read password] >> >> ********************** BACKTRACE DUMP ENDS HERE >> ********************************* >> >> >> >> (2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): >> [RID#27337] PAC check is requested but krb5_validate is set to false. PAC >> checks will be skipped. >> >> >> >> We’re ok with the krb5_validate message. We set: >> >> >> krb5_validate = False >> >> >> in /etc/sssd/sssd.conf file because KVNO of host principal gets out >> of sync between AD and /etc/krb5.keytab file frequently. >> >> >> So we’re comfortable with that one line of logging. It’s all the >> rest of the logging that we’d prefer not to see. >> >> >> How do we suppress them or eradicate the underlying condition that >> leads to them appearing? >> >> >> Here is our sssd.conf file. >> >> >> [nss] >> >> debug_backtrace_enabled = false >> >> #debug_level = 9 >> >> filter_groups = root mfe bladelogic_linux_users@amer.company.com >> bladelogic_linux_users@emea.company.com >> bladelogic_linux_users@apac.company.com >> bladelogic_linux_users@japn.company.com >> bladelogic_linux_users@company.com oracle >> >> filter_users = root mfe oracle >> >> >> >> [sssd] >> >> debug_backtrace_enabled = false >> >> #debug_level = 9 >> >> domains = amer.company.com >> >> domain_resolution_order = amer.company.com, emea.company.com, >> apac.company.com, japn.company.com, company.com >> >> config_file_version = 2 >> >> services = nss,pam,ifp >> >> reconnection_retries = 3 >> >> full_name_format = %1$s >> >> >> >> [pam] >> >> pam_verbosity = 3 >> >> #debug_level = 9 >> >> offline_credentials_expiration = 3 >> >> >> >> [ifp] >> >> #debug_level = 9 >> >> >> >> [domain/amer.company.com] >> >> filter_groups = root mfe bladelogic_linux_users oracle >> >> sudo_provider = none >> >> debug_backtrace_enabled = false >> >> #debug_level = 9 >> >> ad_enabled_domains = company.com, amer.company.com, >> apac.company.com, emea.company.com, japn.company.com >> >> ad_enabled_domains = amer.company.com, apac.company.com, >> emea.company.com, japn.company.com, company.com >> >> # If you enable ignore_group_members, it gives a small perf win, >> but then >> >> # "getent group XXX" shows no members. Perf win not worth the lack >> of >> >> # diagnostics. >> >> #ignore_group_members = true >> >> id_provider = ad >> >> access_provider = simple >> >> auth_provider = ad >> >> default_shell = /bin/bash >> >> ldap_id_mapping = False >> >> auto_private_groups = True >> >> realmd_tags = joined-with-adcli >> >> cache_credentials = True >> >> >> >> # Not set to true; Passwords stored in this way are kept in >> plaintext in the kernel keyring and are potentially accessible by the root >> user (with difficulty). >> >> #krb5_store_password_if_offline = True >> >> fallback_homedir = /home/%u >> >> ldap_sasl_authid = host/austgcore17.us.company.com@AMER.COMPANY.COM >> >> dyndns_update = False >> >> # Using tokengroups is usually a speed optimization >> >> #ldap_use_tokengroups = False >> >> ldap_search_base = dc=AMER,dc=COMPANY,dc=COM >> >> ldap_force_upper_case_realm = True >> >> # Set to False, because KVNO of host principal gets out of sync >> between >> >> # AD and /etc/krb5.keytab file frequently. >> >> krb5_validate = False >> >> simple_allow_groups = amerlinuxsup@amer.company.com, >> amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, >> emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, >> apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, >> bladelogic_linux_users@amer.company.com, >> PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, >> pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, >> scheduling_global@amer.company.com, engit-ebpa@amer.company.com, >> amerlinuxengtfssupt@amer.company.com, >> amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, >> fnms_ops@amer.company.com, zabbix-support@amer.company.com, >> globalinfosecopsadm@amer.company.com, >> prd-amer-fnmsopspac@amer.company.com, amerlinuxeng >> >> simple_allow_users = processehcprofiler@amer.company.com, >> svc_prdautovm@amer.company.com, processfoglight@amer.company.com, >> svc_prdprofoglight01@amer.company.com, >> service_ome_linux@amer.company.com, >> svc_prdesquadscounix@apac.company.com, >> serviceunixinstall@amer.company.com, admspike_white, oracle >> >> >> >> # look at >> https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html >> >> [domain/amer.company.com/company.com] >> >> ldap_search_base = dc=COMPANY,dc=COM >> >> >> >> [domain/amer.company.com/apac.company.com] >> >> ldap_search_base = dc=APAC,dc=COMPANY,dc=COM >> >> >> >> [domain/amer.company.com/emea.company.com] >> >> ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM >> >> >> >> [domain/amer.company.com/japn.company.com] >> >> ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM >> -- >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to >> sssd-users-leave@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to > sssd-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
>
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Thu, Jul 25, 2024 at 6:19 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
It took a while, but I have sssd-*-2.9.4.el9.x86_64 installed on a test RHEL9 server. Now when a user logs in, I get just this in /var/log/sssd/krb5_child.log:
(2024-07-25 12:11:46): [krb5_child[89771]] [main] (0x3f7c0): [RID#6] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped. (2024-07-25 12:11:46): [krb5_child[89772]] [main] (0x3f7c0): [RID#7] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped.
Which is normal. So -- sssd version 2.9.5 fixes this.
Thank you for testing.
BTW on this RHEL9 test server -- debug_backtrace_enabled is not set in this /etc/sssd/sssd.conf file (so it takes default of 'true').
As far as standard RHEL8 & 9 sssd version 2.9.4-xxx, I'd rather not set debug_level = 0. I'd rather just wait for this bug fix.
While RHEL9 should eventually get sssd-2.9.5+ (or even sssd-2.10), RHEL8 probably won't... i.e. fixing this in RHEL8 would require pulling https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 explicitly...
Spike
On Thu, Jul 25, 2024 at 5:37 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 11:44 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
I have submitted Redhat case 03886211 https://access.redhat.com/support/cases/#/case/03886211 on this.
Thank you.
Just to clarify - there are 2 different issues:
(1) wrong log level used / excessive logging: I believe it's fixed in sssd-2.9.5. It would be great if you could test it using C9S package: https://composes.stream.centos.org/development/latest-CentOS-Stream/compose/...
(2) there is no way to configure 'debug_backtrace_enabled' for child processes: I opened https://github.com/SSSD/sssd/issues/7510 for this issue
Meanwhile, if those backtraces are too irritating, you can consider setting `debug_level = 0` in the domain section (but, of course, this will suppress almost all debugging).
Thank you, Spike
On Wed, Jul 24, 2024 at 1:04 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 6:29 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
No, you've found a bug - there is no way to configure 'debug_backtrace_enabled' for child processes (may be with the exception of proxy_child, not sure). I think the fix should be to inherit from the domain section (as it happens with debug_level), Please, open a ticket upstream.
Spike
On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 5:20 PM Spike White spikewhitetx@gmail.com wrote:
> Alexey, > > Thank you for responding. > > This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version > 1.16.5-xxxx.el7_9.xxx.x86_64 > > RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and > 2.9.4-xxx.el9_4.x86_64.. > > On RHEL7 we don't have 'debug_backtrace_enabled = false' set > (doesn't appear to be an option on version 1.16.5). But RHEL7 is ok. > > On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the > [nss] and [sssd] sections. Yet we see this backtrace in > /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in > which we should be setting this? >
ldap_/krb5_child "inherit" debug settings from [domain/...] section.
> Spike > > On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov atikhono@redhat.com > wrote: > >> Hi, >> >> what SSSD version is this? >> >> I think it should be fixed by >> https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and >> thus in SSSD 2.9.5+ >> On an older version you can consider setting >> 'debug_backtrace_enabled = false' >> >> >> On Tue, Jul 23, 2024 at 9:37 PM Spike White spikewhitetx@gmail.com >> wrote: >> >>> All, >>> >>> This is not a problem. But it is annoying; how do I make it go >>> away? >>> >>> >>> Every time any user logs into any of our Linux servers, we get >>> these messages in the /var/log/sssd/krb5_child.log file: >>> >>> >>> >>> (2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): >>> [RID#26239] PAC check is requested but krb5_validate is set to false. PAC >>> checks will be skipped. >>> >>> (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): >>> [RID#27336] PAC check is requested but krb5_validate is set to false. PAC >>> checks will be skipped. >>> >>> (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >>> [-1765328174][Pre-authentication failed: Cannot read password] >>> >>> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE >>> FOLLOWING BACKTRACE: >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >>> [RID#27336] krb5_child started. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>> (0x1000): [RID#27336] total buffer size: [92] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>> (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] >>> validate [false] enterprise principal [true] offline [false] UPN [ >>> AdmSpike_White@AMER.COMPANY.COM] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>> (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for >>> domain, looking for default one >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: >>> FILE:/etc/krb5.keytab >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: >>> /etc/krb5.keytab >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] >>> (0x0100): [RID#27336] Not using FAST. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] >>> (0x0200): [RID#27336] Trying to become user [2025431][2025431]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): >>> [RID#27336] Running as [2025431][2025431]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime >>> requested. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to >>> [true] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >>> [RID#27336] Will perform pre-auth >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] >>> (0x1000): [RID#27336] Attempting to get a TGT >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [get_and_save_tgt] (0x0400): [RID#27336] Attempting kinit for realm [ >>> AMER.COMPANY.COM] >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_responder] (0x4000): [RID#27336] Got question [password]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] >>> banner [(null)] num_prompts [1] EINVAL. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for >>> AdmSpike_White@AMER.COMPANY.COM@AMER.COMPANY.COM]. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for >>> password prompts by SSSD. >>> >>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >>> [-1765328174][Pre-authentication failed: Cannot read password] >>> >>> ********************** BACKTRACE DUMP ENDS HERE >>> ********************************* >>> >>> >>> >>> (2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): >>> [RID#27337] PAC check is requested but krb5_validate is set to false. PAC >>> checks will be skipped. >>> >>> >>> >>> We’re ok with the krb5_validate message. We set: >>> >>> >>> krb5_validate = False >>> >>> >>> in /etc/sssd/sssd.conf file because KVNO of host principal gets >>> out of sync between AD and /etc/krb5.keytab file frequently. >>> >>> >>> So we’re comfortable with that one line of logging. It’s all the >>> rest of the logging that we’d prefer not to see. >>> >>> >>> How do we suppress them or eradicate the underlying condition that >>> leads to them appearing? >>> >>> >>> Here is our sssd.conf file. >>> >>> >>> [nss] >>> >>> debug_backtrace_enabled = false >>> >>> #debug_level = 9 >>> >>> filter_groups = root mfe bladelogic_linux_users@amer.company.com >>> bladelogic_linux_users@emea.company.com >>> bladelogic_linux_users@apac.company.com >>> bladelogic_linux_users@japn.company.com >>> bladelogic_linux_users@company.com oracle >>> >>> filter_users = root mfe oracle >>> >>> >>> >>> [sssd] >>> >>> debug_backtrace_enabled = false >>> >>> #debug_level = 9 >>> >>> domains = amer.company.com >>> >>> domain_resolution_order = amer.company.com, emea.company.com, >>> apac.company.com, japn.company.com, company.com >>> >>> config_file_version = 2 >>> >>> services = nss,pam,ifp >>> >>> reconnection_retries = 3 >>> >>> full_name_format = %1$s >>> >>> >>> >>> [pam] >>> >>> pam_verbosity = 3 >>> >>> #debug_level = 9 >>> >>> offline_credentials_expiration = 3 >>> >>> >>> >>> [ifp] >>> >>> #debug_level = 9 >>> >>> >>> >>> [domain/amer.company.com] >>> >>> filter_groups = root mfe bladelogic_linux_users oracle >>> >>> sudo_provider = none >>> >>> debug_backtrace_enabled = false >>> >>> #debug_level = 9 >>> >>> ad_enabled_domains = company.com, amer.company.com, >>> apac.company.com, emea.company.com, japn.company.com >>> >>> ad_enabled_domains = amer.company.com, apac.company.com, >>> emea.company.com, japn.company.com, company.com >>> >>> # If you enable ignore_group_members, it gives a small perf win, >>> but then >>> >>> # "getent group XXX" shows no members. Perf win not worth the >>> lack of >>> >>> # diagnostics. >>> >>> #ignore_group_members = true >>> >>> id_provider = ad >>> >>> access_provider = simple >>> >>> auth_provider = ad >>> >>> default_shell = /bin/bash >>> >>> ldap_id_mapping = False >>> >>> auto_private_groups = True >>> >>> realmd_tags = joined-with-adcli >>> >>> cache_credentials = True >>> >>> >>> >>> # Not set to true; Passwords stored in this way are kept in >>> plaintext in the kernel keyring and are potentially accessible by the root >>> user (with difficulty). >>> >>> #krb5_store_password_if_offline = True >>> >>> fallback_homedir = /home/%u >>> >>> ldap_sasl_authid = host/ >>> austgcore17.us.company.com@AMER.COMPANY.COM >>> >>> dyndns_update = False >>> >>> # Using tokengroups is usually a speed optimization >>> >>> #ldap_use_tokengroups = False >>> >>> ldap_search_base = dc=AMER,dc=COMPANY,dc=COM >>> >>> ldap_force_upper_case_realm = True >>> >>> # Set to False, because KVNO of host principal gets out of sync >>> between >>> >>> # AD and /etc/krb5.keytab file frequently. >>> >>> krb5_validate = False >>> >>> simple_allow_groups = amerlinuxsup@amer.company.com, >>> amerlinuxeng@amer.company.com, emealinuxsup@emea.company.com, >>> emealinuxeng@emea.company.com, apaclinuxsup@apac.company.com, >>> apaclinuxeng@apac.company.com, gbllinuxsuppw@amer.company.com, >>> bladelogic_linux_users@amer.company.com, >>> PRD-1004873-AMER-DBSPOTUNIX@amer.company.com, >>> pptsupportpac@amer.company.com, unv_legato_admins@amer.company.com, >>> scheduling_global@amer.company.com, engit-ebpa@amer.company.com, >>> amerlinuxengtfssupt@amer.company.com, >>> amerlnxsvcdelauttfs@apac.company.com, iasnprod@amer.company.com, >>> fnms_ops@amer.company.com, zabbix-support@amer.company.com, >>> globalinfosecopsadm@amer.company.com, >>> prd-amer-fnmsopspac@amer.company.com, amerlinuxeng >>> >>> simple_allow_users = processehcprofiler@amer.company.com, >>> svc_prdautovm@amer.company.com, processfoglight@amer.company.com, >>> svc_prdprofoglight01@amer.company.com, >>> service_ome_linux@amer.company.com, >>> svc_prdesquadscounix@apac.company.com, >>> serviceunixinstall@amer.company.com, admspike_white, oracle >>> >>> >>> >>> # look at >>> https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html >>> >>> [domain/amer.company.com/company.com] >>> >>> ldap_search_base = dc=COMPANY,dc=COM >>> >>> >>> >>> [domain/amer.company.com/apac.company.com] >>> >>> ldap_search_base = dc=APAC,dc=COMPANY,dc=COM >>> >>> >>> >>> [domain/amer.company.com/emea.company.com] >>> >>> ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM >>> >>> >>> >>> [domain/amer.company.com/japn.company.com] >>> >>> ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM >>> -- >>> _______________________________________________ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> sssd-users-leave@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> -- >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to >> sssd-users-leave@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to > sssd-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
>
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Wed, Jul 24, 2024 at 8:03 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Jul 24, 2024 at 6:29 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Again, thanks for replying.
I put
debug_backtrace_enabled = false
in section
[domain/amer.company.com]
and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9.
Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section?
No, you've found a bug - there is no way to configure 'debug_backtrace_enabled' for child processes (may be with the exception of proxy_child, not sure). I think the fix should be to inherit from the domain section (as it happens with debug_level), Please, open a ticket upstream.
JFTR: https://github.com/SSSD/sssd/issues/7510 should be now fixed upstream.
sssd-users@lists.fedorahosted.org