Hi, I built and installed sssd from sources. I got more logs: https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa#file-krb5_child-log-not-working-with-krb5-trace
Is this important? -> "PKINIT client has no configured identity; giving up" In Centos there are lines in krb5 conf, I think this is the reason above is giving up. pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 Are those important? This function is never called in Arch (line is from centos): [krb5_child[50670]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [375772] How to find why this function is never called? ----- Pawel wt., 16 lut 2021 o 17:38 Paweł Szafer <[email protected]> napisał(a): > Thanks for the response! > > Commenting out "udp_preference_limit" doesn't change anything > unfortunately... > I will rebuild sssd from source, so I can get more meaningful logs. > > ----- > Pawel > > > > wt., 16 lut 2021 o 17:20 Sumit Bose <[email protected]> napisał(a): > >> On Tue, Feb 16, 2021 at 03:46:38PM +0100, Paweł Szafer wrote: >> > Hi again, >> > I installed Centos 8 to test if warning is working and on Centos it is >> > working properly. >> > >> > In Arch I never get line with check "sss_krb5_expire_callback_func" >> > >> > Here are logs and config compared: >> > https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa (can't >> > attach it to email, too big). >> > Maybe you can find out if it's something with config or maybe Arch >> > compilation of krb5 or sssd. >> >> Hi, >> >> this might be possible. If seen in >> >> https://github.com/archlinux/svntogit-community/blob/packages/sssd/trunk/PKGBUILD >> the HAVE_KRB5_SET_TRACE_CALLBACK is removed from config.h which would >> explain the missing krb5 trace messages in the logs. >> >> The expiration callback is used conditionally, but the related call is >> available since MIT Kerberos version 1.9. Can you check the configure >> output >> >> ...... >> checking for krb5_get_error_message... yes >> checking for krb5_free_unparsed_name... yes >> checking for krb5_get_init_creds_opt_set_expire_callback... yes >> <<<---- >> checking for krb5_get_init_creds_opt_set_fast_ccache_name... yes >> checking for krb5_get_init_creds_opt_set_fast_flags... yes >> checking for krb5_get_init_creds_opt_set_canonicalize... yes >> ...... >> >> But even if krb5_get_init_creds_opt_set_expire_callback is not available >> I would expect a message in the debug logs. >> >> >> In krb5.conf on Arch there is >> >> [libdefaults] >> udp_preference_limit = 0 >> >> which is not present on Centos. I wonder if you can comment out those >> two lines for testing. I would be surprised if this would change >> anything but it is the only difference which might be related. >> >> bye, >> Sumit >> >> > >> > ----- >> > Pawel >> > >> > >> > >> > pon., 15 lut 2021 o 11:13 Paweł Szafer <[email protected]> napisał(a): >> > >> > > yes, typo, sorry. It's valid till 20.02.2021. >> > > Unfortunately I cannot find anything about password expiration in the >> sssd >> > > logs. >> > > >> > > Pawel >> > > >> > > pon., 15 lut 2021, 11:08 użytkownik Tomas Halman <[email protected]> >> > > napisał: >> > > >> > >> >> > >> >> > >> On Sat, Feb 13, 2021 at 6:22 PM Paweł Szafer <[email protected]> >> wrote: >> > >> >> > >>> >> > >>> > User has password valid till 20.02.2020 and yet I don't have any >> > >>>> warning. >> > >>>> >> > >>> >> > >> Is that just a typo? 20.02.2020 is a year ago... >> > >> >> > >> Tomas >> > >> _______________________________________________ >> > >> sssd-users mailing list -- [email protected] >> > >> To unsubscribe send an email to >> [email protected] >> > >> Fedora Code of Conduct: >> > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> > >> List Archives: >> > >> >> https://lists.fedorahosted.org/archives/list/[email protected] >> > >> Do not reply to spam on the list, report it: >> > >> https://pagure.io/fedora-infrastructure >> > >> >> > > >> >> > _______________________________________________ >> > sssd-users mailing list -- [email protected] >> > To unsubscribe send an email to [email protected] >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
