sssd experts, We have a “nuisance-level” problem with RHEL8 physical builds after AD-integrating via sssd. How do I stop certain annoying messages in /var/log/messages?
This RHEL8 physical build properly creates an /etc/krb5.keytab file with the expected host entries. Here’s the snippet from kutil: [root@austgcore25 log]# cd /etc [root@austgcore25 etc]# ktutil ktutil: read_kt /etc/krb5.keytab ktutil: list -t -e -k slot KVNO Timestamp Principal ---- ---- ----------------- --------------------------------------------------- … 6 16 07/03/2019 21:31 host/austgcor...@amer.example.com (des-cbc-crc) (0xbf3d37462967e65e) 7 16 07/03/2019 21:31 host/austgcor...@amer.example.com (des-cbc-md5) (0xbf3d37462967e65e) 8 16 07/03/2019 21:31 host/austgcor...@amer.example.com (arcfour-hmac) (0xa21feefac524db9e82f3e38e73551c28) 9 16 07/03/2019 21:31 host/austgcor...@amer.example.com (aes128-cts-hmac-sha1-96) (0x196ff6a33ef6284bb432f97cf36e737c) 10 16 07/03/2019 21:31 host/austgcor...@amer.example.com (aes256-cts-hmac-sha1-96) (0xadd866228352701a94f5cd40d76ed886a7fe084b2f7a90981b16d19f14962e3b) … The AD integration seems to work fine. I can log in with my AD account no problem. Even after reboots. (cross domain authentication temporarily not working on this build, likely unrelated.) However, we continue to get the complaints in /var/log/messages: Jul 8 11:38:25 austgcore25 [sssd[ldap_child[1816]]][1816]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/ austgcor...@amer.example.com' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Jul 8 11:38:26 austgcore25 [sssd[ldap_child[1817]]][1817]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/ austgcor...@amer.example.com' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. I notice it’s attempting to use MEMORY:/etc/krb5.keytab. How do I stop this annoying messages in /var/log/messages? We have multiple AD domains defined in our sssd.conf file for this cross-domain auth. (Usually, cross-domain auth works fine for us.) Spike
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
