All, This is not a problem. But it is annoying; how do I make it go away?
Every time any user logs into any of our Linux servers, we get these messages in the /var/log/sssd/krb5_child.log file: (2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): [RID#26239] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped. (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): [RID#27336] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped. (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): [RID#27336] krb5_child started. * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x1000): [RID#27336] total buffer size: [92] * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] validate [false] enterprise principal [true] offline [false] UPN [ admspike_wh...@amer.company.com] * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set] * (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for default one * (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab * (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] (0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab * (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] (0x0100): [RID#27336] Not using FAST. * (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] (0x0200): [RID#27336] Trying to become user [2025431][2025431]. * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): [RID#27336] Running as [2025431][2025431]. * (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime requested. * (2024-07-23 14:14:10): [krb5_child[970533]] [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime requested. * (2024-07-23 14:14:10): [krb5_child[970533]] [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to [true] * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): [RID#27336] Will perform pre-auth * (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] (0x1000): [RID#27336] Attempting to get a TGT * (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt] (0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM] * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder] (0x4000): [RID#27336] Got question [password]. * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White\@ amer.company....@amer.company.com]. * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] (0x0200): [RID#27336] Prompter interface isn't used for password prompts by SSSD. * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: [-1765328174][Pre-authentication failed: Cannot read password] ********************** BACKTRACE DUMP ENDS HERE ********************************* (2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): [RID#27337] PAC check is requested but krb5_validate is set to false. PAC checks will be skipped. We’re ok with the krb5_validate message. We set: krb5_validate = False in /etc/sssd/sssd.conf file because KVNO of host principal gets out of sync between AD and /etc/krb5.keytab file frequently. So we’re comfortable with that one line of logging. It’s all the rest of the logging that we’d prefer not to see. How do we suppress them or eradicate the underlying condition that leads to them appearing? Here is our sssd.conf file. [nss] debug_backtrace_enabled = false #debug_level = 9 filter_groups = root mfe bladelogic_linux_us...@amer.company.com bladelogic_linux_us...@emea.company.com bladelogic_linux_us...@apac.company.com bladelogic_linux_us...@japn.company.com bladelogic_linux_us...@company.com oracle filter_users = root mfe oracle [sssd] debug_backtrace_enabled = false #debug_level = 9 domains = amer.company.com domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com config_file_version = 2 services = nss,pam,ifp reconnection_retries = 3 full_name_format = %1$s [pam] pam_verbosity = 3 #debug_level = 9 offline_credentials_expiration = 3 [ifp] #debug_level = 9 [domain/amer.company.com] filter_groups = root mfe bladelogic_linux_users oracle sudo_provider = none debug_backtrace_enabled = false #debug_level = 9 ad_enabled_domains = company.com, amer.company.com, apac.company.com, emea.company.com, japn.company.com ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com, company.com # If you enable ignore_group_members, it gives a small perf win, but then # "getent group XXX" shows no members. Perf win not worth the lack of # diagnostics. #ignore_group_members = true id_provider = ad access_provider = simple auth_provider = ad default_shell = /bin/bash ldap_id_mapping = False auto_private_groups = True realmd_tags = joined-with-adcli cache_credentials = True # Not set to true; Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty). #krb5_store_password_if_offline = True fallback_homedir = /home/%u ldap_sasl_authid = host/austgcore17.us.company....@amer.company.com dyndns_update = False # Using tokengroups is usually a speed optimization #ldap_use_tokengroups = False ldap_search_base = dc=AMER,dc=COMPANY,dc=COM ldap_force_upper_case_realm = True # Set to False, because KVNO of host principal gets out of sync between # AD and /etc/krb5.keytab file frequently. krb5_validate = False simple_allow_groups = amerlinux...@amer.company.com, amerlinux...@amer.company.com, emealinux...@emea.company.com, emealinux...@emea.company.com, apaclinux...@apac.company.com, apaclinux...@apac.company.com, gbllinuxsu...@amer.company.com, bladelogic_linux_us...@amer.company.com, prd-1004873-amer-dbspotu...@amer.company.com, pptsupport...@amer.company.com, unv_legato_adm...@amer.company.com, scheduling_glo...@amer.company.com, engit-e...@amer.company.com, amerlinuxengtfss...@amer.company.com, amerlnxsvcdelaut...@apac.company.com, iasnp...@amer.company.com, fnms_...@amer.company.com, zabbix-supp...@amer.company.com, globalinfosecops...@amer.company.com, prd-amer-fnmsops...@amer.company.com, amerlinuxeng simple_allow_users = processehcprofi...@amer.company.com, svc_prdaut...@amer.company.com, processfogli...@amer.company.com, svc_prdprofogligh...@amer.company.com, service_ome_li...@amer.company.com, svc_prdesquadscou...@apac.company.com, serviceunixinst...@amer.company.com, admspike_white, oracle # look at https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html [domain/amer.company.com/company.com] ldap_search_base = dc=COMPANY,dc=COM [domain/amer.company.com/apac.company.com] ldap_search_base = dc=APAC,dc=COMPANY,dc=COM [domain/amer.company.com/emea.company.com] ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM [domain/amer.company.com/japn.company.com] ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
