On Wed, Feb 17, 2021 at 12:43:09PM +0100, Paweł Szafer wrote: > Hi, > I built and installed sssd from sources. > I got more logs: > https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa#file-krb5_child-log-not-working-with-krb5-trace > > Is this important? -> "PKINIT client has no configured identity; giving up" > In Centos there are lines in krb5 conf, I think this is the reason above is > giving up. > > pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt > spake_preauth_groups = edwards25519 > > Are those important? > > This function is never called in Arch (line is from centos): > > [krb5_child[50670]] [sss_krb5_expire_callback_func] (0x2000): exp_time: > [375772] > > How to find why this function is never called?
Hi, it looks like I'm getting old, I forgot about https://krbdev.mit.edu/rt/Ticket/Display.html?id=8893 which is an issue in MIT Kerberos which should be fixed in 1.19 but might not yet fixed in Arch Linux. As a workaround you can try to use 'auth_provider = krb5' but please note the different defaults for krb5_validate and krb5_use_enterprise_principal as mentioned in man sssd-ad. With 'auth_provider = ad' some different MIT Kerberos APIs are used to get more details from AD, unfortunately due to #8893 the expiration time is lost in this case. HTH bye, Sumit > > ----- > Pawel > > > > wt., 16 lut 2021 o 17:38 Paweł Szafer <[email protected]> napisał(a): > > > Thanks for the response! > > > > Commenting out "udp_preference_limit" doesn't change anything > > unfortunately... > > I will rebuild sssd from source, so I can get more meaningful logs. > > > > ----- > > Pawel > > > > > > > > wt., 16 lut 2021 o 17:20 Sumit Bose <[email protected]> napisał(a): > > > >> On Tue, Feb 16, 2021 at 03:46:38PM +0100, Paweł Szafer wrote: > >> > Hi again, > >> > I installed Centos 8 to test if warning is working and on Centos it is > >> > working properly. > >> > > >> > In Arch I never get line with check "sss_krb5_expire_callback_func" > >> > > >> > Here are logs and config compared: > >> > https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa (can't > >> > attach it to email, too big). > >> > Maybe you can find out if it's something with config or maybe Arch > >> > compilation of krb5 or sssd. > >> > >> Hi, > >> > >> this might be possible. If seen in > >> > >> https://github.com/archlinux/svntogit-community/blob/packages/sssd/trunk/PKGBUILD > >> the HAVE_KRB5_SET_TRACE_CALLBACK is removed from config.h which would > >> explain the missing krb5 trace messages in the logs. > >> > >> The expiration callback is used conditionally, but the related call is > >> available since MIT Kerberos version 1.9. Can you check the configure > >> output > >> > >> ...... > >> checking for krb5_get_error_message... yes > >> checking for krb5_free_unparsed_name... yes > >> checking for krb5_get_init_creds_opt_set_expire_callback... yes > >> <<<---- > >> checking for krb5_get_init_creds_opt_set_fast_ccache_name... yes > >> checking for krb5_get_init_creds_opt_set_fast_flags... yes > >> checking for krb5_get_init_creds_opt_set_canonicalize... yes > >> ...... > >> > >> But even if krb5_get_init_creds_opt_set_expire_callback is not available > >> I would expect a message in the debug logs. > >> > >> > >> In krb5.conf on Arch there is > >> > >> [libdefaults] > >> udp_preference_limit = 0 > >> > >> which is not present on Centos. I wonder if you can comment out those > >> two lines for testing. I would be surprised if this would change > >> anything but it is the only difference which might be related. > >> > >> bye, > >> Sumit > >> > >> > > >> > ----- > >> > Pawel > >> > > >> > > >> > > >> > pon., 15 lut 2021 o 11:13 Paweł Szafer <[email protected]> napisał(a): > >> > > >> > > yes, typo, sorry. It's valid till 20.02.2021. > >> > > Unfortunately I cannot find anything about password expiration in the > >> sssd > >> > > logs. > >> > > > >> > > Pawel > >> > > > >> > > pon., 15 lut 2021, 11:08 użytkownik Tomas Halman <[email protected]> > >> > > napisał: > >> > > > >> > >> > >> > >> > >> > >> On Sat, Feb 13, 2021 at 6:22 PM Paweł Szafer <[email protected]> > >> wrote: > >> > >> > >> > >>> > >> > >>> > User has password valid till 20.02.2020 and yet I don't have any > >> > >>>> warning. > >> > >>>> > >> > >>> > >> > >> Is that just a typo? 20.02.2020 is a year ago... > >> > >> > >> > >> Tomas > >> > >> _______________________________________________ > >> > >> sssd-users mailing list -- [email protected] > >> > >> To unsubscribe send an email to > >> [email protected] > >> > >> Fedora Code of Conduct: > >> > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> > >> List Guidelines: > >> https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > >> List Archives: > >> > >> > >> https://lists.fedorahosted.org/archives/list/[email protected] > >> > >> Do not reply to spam on the list, report it: > >> > >> https://pagure.io/fedora-infrastructure > >> > >> > >> > > > >> > >> > _______________________________________________ > >> > sssd-users mailing list -- [email protected] > >> > To unsubscribe send an email to [email protected] > >> > Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > List Archives: > >> https://lists.fedorahosted.org/archives/list/[email protected] > >> > Do not reply to spam on the list, report it: > >> https://pagure.io/fedora-infrastructure > >> _______________________________________________ > >> sssd-users mailing list -- [email protected] > >> To unsubscribe send an email to [email protected] > >> Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > >> https://lists.fedorahosted.org/archives/list/[email protected] > >> Do not reply to spam on the list, report it: > >> https://pagure.io/fedora-infrastructure > >> > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
