[SSSD-users] Re: Is there anything in the sssd RHEL server OS settings that performs LDAP binds or connections to AD every 30 mins?

2023-10-13 Thread Spike White 
So Trellix did not accept this as a bug in their healthcheck script.  We
put in a RFE with tem to do this healthcheck invocation  using setpriv or
su -c.  Which doesn't trigger the LDAP queries.

Now we have an open case with RH Tech Support on this.  Basically, when
sudo is invoked as root and we have early in the /etc/sudoers file:

rootALL=(ALL)   ALL

and then later on in /etc/sudoers file we have:

## Read drop-in files from /etc/sudoers.
#includedir /etc/sudoers.d

then sudo should not be making  group membership queries to enumerate all
the various AD groups in /etc/sudoers.d/*  files.  which is triggering
multiple LDAP queries on thousands of servers -- all on the hour and
half-hour.

Spike

On Fri, Oct 6, 2023 at 12:16 PM Larkin, Patrick 
wrote:

> On 10/6/23, 11:52, "Sam Morris"  wrote:
> __
> On 04/10/2023 17:02, Spike White wrote:
> > We see in other places in this McAfee script that they run this command
> > using 'su' instead of 'sudo'.
> >
> > su -s /bin/sh -c "LD_LIBRARY_PATH=...  ${PROGROOT}/bin/macmnsvc
> > status" mfe
> …
> > Anyway, it's McAfee's problem to fix now.  We'll report it and I'm sure
> > they'll figure out a solution.
>
> If they are root and want to drop privileges then they would be better
> served by runuser or setpriv. …
>
>
>
> …or start out as non-root user to begin with…
>
> (It’s a peeve of mine when security companies don’t follow best practice
> of elevating only if absolutely necessary.)
>
>
>
> --
>
> Pat Larkin | Manager – LinuxIMO
>
> Sabre  TEO | Texas USA
>
>
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[SSSD-users] Internal credentials cache error while getting initial credentials

2023-10-13 Thread Albert Szostkiewicz 
Hey, 
Need some help here, I am unable to log-in. when trying to use kinit on my 
user, I am getting an error:
kinit: Failed to store credentials: Internal credentials cache error while 
getting initial credentials

sssd runs. log shows:
Oct 13 20:32:59 user.mydomain.com krb5_child[4846]: Internal credentials cache 
error


sssd_kcm.log states:
  *  (2023-10-13 21:17:43): [kcm] [local_db_check_peruid_number_of_secrets] 
(0x0040): [CID#8708] Cannot store any more secrets for this client (basedn 
cn=190741,cn=persistent,cn=kcm) as the maximum allowed limit (66) has been 
reached
** BACKTRACE DUMP ENDS HERE 
*

(2023-10-13 21:17:43): [kcm] [sss_sec_update] (0x0040): [CID#8708] 
local_db_check_number_of_secrets failed [1432158289]: The maximum number of 
stored secrets has been reached
(2023-10-13 21:17:43): [kcm] [sec_update] (0x0040): [CID#8708] Cannot write the 
secret [1432158289]: The maximum number of stored secrets has been reached
** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING 
BACKTRACE:
   *  (2023-10-13 21:17:43): [kcm] [sss_sec_update] (0x0040): [CID#8708] 
local_db_check_number_of_secrets failed [1432158289]: The maximum number of 
stored secrets has been reached
   *  (2023-10-13 21:17:43): [kcm] [sec_update] (0x0040): [CID#8708] Cannot 
write the secret [1432158289]: The maximum number of stored secrets has been 
reached
** BACKTRACE DUMP ENDS HERE 
*

(2023-10-13 21:17:43): [kcm] [kcm_ccdb_mod_done] (0x0040): [CID#8708] Failed to 
create ccache [1432158289]: The maximum number of stored secrets has been 
reached
(2023-10-13 21:17:43): [kcm] [kcm_op_set_kdc_offset_mod_done] (0x0040): 
[CID#8708] Cannot modify ccache [1432158289]: The maximum number of stored 
secrets has been reached
** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING 
BACKTRACE:
   *  (2023-10-13 21:17:43): [kcm] [kcm_ccdb_mod_done] (0x0040): [CID#8708] 
Failed to create ccache [1432158289]: The maximum number of stored secrets has 
been reached
   *  (2023-10-13 21:17:43): [kcm] [kcm_op_set_kdc_offset_mod_done] (0x0040): 
[CID#8708] Cannot modify ccache [1432158289]: The maximum number of stored 
secrets has been reached
** BACKTRACE DUMP ENDS HERE 
*

(2023-10-13 21:17:43): [kcm] [kcm_cmd_done] (0x0040): [CID#8708] op receive 
function failed [1432158289]: The maximum number of stored secrets has been 
reached
(2023-10-13 21:17:43): [kcm] [kcm_cmd_request_done] (0x0040): [CID#8708] KCM 
operation failed [1432158289]: The maximum number of stored secrets has been 
reached
** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING 
BACKTRACE:
   *  (2023-10-13 21:17:43): [kcm] [kcm_cmd_done] (0x0040): [CID#8708] op 
receive function failed [1432158289]: The maximum number of stored secrets has 
been reached
   *  (2023-10-13 21:17:43): [kcm] [kcm_cmd_request_done] (0x0040): [CID#8708] 
KCM operation failed [1432158289]: The maximum number of stored secrets has 
been reached
** BACKTRACE DUMP ENDS HERE 
*

KRB5_TRACE=/dev/stderr ipa --debug ping

ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: trying https://workstation.mydomain.com/ipa/json
ipa: DEBUG: Created connection context.rpcclient_140066561958480
ipa: DEBUG: raw: ping(version='2.252')
ipa: DEBUG: ping(version='2.252')
ipa: DEBUG: [try 1]: Forwarding 'ping/1' to json server 
'https://workstation.mydomain.com/ipa/json'
ipa: DEBUG: New HTTP connection (workstation.mydomain.com)
ipa: DEBUG: HTTP connection destroyed (workstation.mydomain.com)
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/ipalib/rpc.py", line 644, in 
get_auth_info
response = self._sec_context.step()
   
  File "/usr/lib/python3.11/site-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
   
  File "/usr/lib64/python3.11/site-packages/gssapi/_utils.py", line 165, in 
check_last_err
return func(self, *args, **kwargs)
   ^^^
  File "/usr/lib/python3.11/site-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
   
  File "/usr/lib64/python3.11/site-packages/gssapi/_utils.py", line 131, in 
catch_and_return_token
return func(self, *args, **kwargs)
   ^^^
  File "/usr/lib64/python3.11/site-packages/gssapi/sec_contexts.py", line 584, 
in step
return self._initiator_step(token=token)
   ^
  File "/usr/lib64/python3.11/site-packages/gssapi/sec_contexts.py", line 606, 
in

[SSSD-users] Re: Internal credentials cache error while getting initial credentials

2023-10-13 Thread Albert Szostkiewicz 
tried kdestroy as well. that did not help.

But one thing that did help now. I did kinit admin, and then kinit user (which 
also had admin role), this time it worked and all came back to normal.
Thanks!
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue