On Tue, Mar 17, 2020 at 09:41:16AM -0000, Hristina Marosevic wrote:
> > On Thu, Mar 12, 2020 at 03:13:57PM -0000, Hristina Marosevic wrote:
> >
> > Hi,
> >
> > the file should be in the SSSD log directory, so typically
> > /var/log/sssd/p11_child.log.
> >
> > Since it does not exists, p11_child was not called to validate the
> > certificates. In this case sssd_ssh.log is the only source of
> > information. Feel free to send the file or the part of the log file
> > which covers the time where sss_ssh_authorized_keys was called.
> >
> > bye,
> > Sumit
>
>
>
> Hello,
>
> command: /usr/bin/sss_ssh_authorizedkeys IIN32000000001
>
> output:
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [get_client_cred] (0x4000): Client
> creds: euid[0] egid[0] pid[24441].
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [get_client_cred] (0x0080): The
> following failure is expected to happen in case SELinux is disabled:
> SELINUX_getpeercon failed [92][Protocol not available].
> Please, consider enabling SELinux in your system.
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [setup_client_idle_timer] (0x4000):
> Idle timer re-set for client [0x55e6a3217350][18]
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [accept_fd_handler] (0x0400): Client
> connected!
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
> Received client version [0].
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
> Offered version [0].
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ssh_protocol_parse_request] (0x0400):
> Requested domain [<ALL>]
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ssh_cmd_get_user_pubkeys] (0x0400):
> Requesting SSH user public keys for [IIN32000000001] from [<ALL>]
....
>
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [child_handler_setup] (0x2000):
> Setting up signal handler up for pid [24442]
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [child_handler_setup] (0x2000): Signal
> handler set up for pid [24442]
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [child_sig_handler] (0x1000): Waiting
> for child [24442].
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [child_sig_handler] (0x0020): child
> [24442] failed with status [1].
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cert_to_ssh_key_done] (0x0040):
> /usr/libexec/sssd/p11_child failed with status [256]
Hi,
so p11_child is really called but as you said earlier there are no logs.
This might e.g. be a permission issue, please check the permissions on
/var/log/sssd if you see anything odd. For me it looks like:
drwxr-x---. 2 root root system_u:object_r:sssd_var_log_t:s0 4096 Mar
17 09:09 .
drwxr-xr-x. 12 root root system_u:object_r:var_log_t:s0 4096 Mar
15 03:27 ..
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 221452 Mar
17 09:19 krb5_child.log
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 1069023 Mar
17 11:16 ldap_child.log
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar
16 10:31 p11_child.log
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 14816 Mar
17 09:19 selinux_child.log
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 623 Mar
16 10:31 sssd.log
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar
16 10:31 sssd_nss.log
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar
16 10:31 sssd_pac.log
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 490679 Mar
17 11:18 sssd_pam.log
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 6723166 Mar
17 11:18 sssd_ipa.devel.log
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar
16 10:31 sssd_ssh.log
-rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar
16 10:31 sssd_sudo.log
The next step would be to check what failed with strace. For this call
mkdir /tmp/strace_data
strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof
/usr/libexec/sssd/sssd_ssh)
in one terminal can call 'sss_ssh_authorizedkeys IIN32000000001' in a different
terminal. After calling sss_ssh_authorizedkeys you can stop the strace command
with CTRL-C. In /tmp/strace_data there should be at least 2 files, one of the
main sssd_ssh process and the other for p11_child, please send both (if there
are more than 2 please send all).
bye,
Sumit
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cert_to_ssh_key_done] (0x0080):
> Certificate
> [MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVo
>
> q80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCCsGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sK
>
> v2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=]
> is not valid.
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ssh_protocol_done] (0x4000): Sending
> reply: success
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [client_recv] (0x0200): Client
> disconnected!
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [client_close_fn] (0x2000): Terminated
> client [0x55e6a3217350][18]
>
> In /etc/sssd/sssd.conf certificate verification and ocsp are disabled:
> "certificate_verification = no_ocsp, no_verification" is added in [sssd]
> section of sssd configuration file
>
>
> BR,
> Hristina
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
