Alexey, Again, thanks for replying.
I put debug_backtrace_enabled = false in section [domain/amer.company.com] and restarted sssd. Still the backtrace shows up in /var/log/sssd/krb5_child.log. In both RHEL8 and RHEL9. Is it possible that krb5_child (n version 2.9.4-x) is inheriting from another sssd.conf file section? Spike On Wed, Jul 24, 2024 at 10:24 AM Alexey Tikhonov <atikh...@redhat.com> wrote: > > > On Wed, Jul 24, 2024 at 5:20 PM Spike White <spikewhit...@gmail.com> > wrote: > >> Alexey, >> >> Thank you for responding. >> >> This occurs on RHEL8 and 9, but not on RHEL7. RHEL7 is version >> 1.16.5-xxxx.el7_9.xxx.x86_64 >> >> RHEL8 and 9 are versions 2.9.4-xxx.el8_10.x86_64 and >> 2.9.4-xxx.el9_4.x86_64.. >> >> On RHEL7 we don't have 'debug_backtrace_enabled = false' set (doesn't >> appear to be an option on version 1.16.5). But RHEL7 is ok. >> >> On RHEL 8/9, we have 'debug_backtrace_enabled = false' set in the [nss] >> and [sssd] sections. Yet we see this backtrace in >> /var/log/sssd/krb5_child.log. Is there another section of sssd.conf in >> which we should be setting this? >> > > ldap_/krb5_child "inherit" debug settings from [domain/...] section. > > > >> Spike >> >> On Wed, Jul 24, 2024 at 4:16 AM Alexey Tikhonov <atikh...@redhat.com> >> wrote: >> >>> Hi, >>> >>> what SSSD version is this? >>> >>> I think it should be fixed by >>> https://github.com/SSSD/sssd/pull/7198#issuecomment-1959697353 and thus >>> in SSSD 2.9.5+ >>> On an older version you can consider setting 'debug_backtrace_enabled = >>> false' >>> >>> >>> On Tue, Jul 23, 2024 at 9:37 PM Spike White <spikewhit...@gmail.com> >>> wrote: >>> >>>> All, >>>> >>>> This is not a problem. But it is annoying; how do I make it go away? >>>> >>>> >>>> Every time any user logs into any of our Linux servers, we get these >>>> messages in the /var/log/sssd/krb5_child.log file: >>>> >>>> >>>> >>>> (2024-07-23 11:20:44): [krb5_child[947088]] [main] (0x3f7c0): >>>> [RID#26239] PAC check is requested but krb5_validate is set to false. PAC >>>> checks will be skipped. >>>> >>>> (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x3f7c0): >>>> [RID#27336] PAC check is requested but krb5_validate is set to false. PAC >>>> checks will be skipped. >>>> >>>> (2024-07-23 14:14:10): [krb5_child[970533]] >>>> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >>>> [-1765328174][Pre-authentication failed: Cannot read password] >>>> >>>> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING >>>> BACKTRACE: >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >>>> [RID#27336] krb5_child started. >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>>> (0x1000): [RID#27336] total buffer size: [92] >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>>> (0x0100): [RID#27336] cmd [249 (pre-auth)] uid [2025431] gid [2025431] >>>> validate [false] enterprise principal [true] offline [false] UPN [ >>>> admspike_wh...@amer.company.com] >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [unpack_buffer] >>>> (0x0100): [RID#27336] ccname: [KCM:] old_ccname: [KCM:] keytab: [not set] >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] >>>> (0x0400): [RID#27336] Missing krb5_keytab option for domain, looking for >>>> default one >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] >>>> (0x0400): [RID#27336] krb5_kt_default_name() returned: >>>> FILE:/etc/krb5.keytab >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_keytab_name] >>>> (0x0400): [RID#27336] krb5_child will default to: /etc/krb5.keytab >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [check_use_fast] >>>> (0x0100): [RID#27336] Not using FAST. >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [become_user] >>>> (0x0200): [RID#27336] Trying to become user [2025431][2025431]. >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x2000): >>>> [RID#27336] Running as [2025431][2025431]. >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>>> [set_lifetime_options] (0x0100): [RID#27336] No specific renewable lifetime >>>> requested. >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>>> [set_lifetime_options] (0x0100): [RID#27336] No specific lifetime >>>> requested. >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>>> [set_canonicalize_option] (0x0100): [RID#27336] Canonicalization is set to >>>> [true] >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [main] (0x0400): >>>> [RID#27336] Will perform pre-auth >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [tgt_req_child] >>>> (0x1000): [RID#27336] Attempting to get a TGT >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [get_and_save_tgt] >>>> (0x0400): [RID#27336] Attempting kinit for realm [AMER.COMPANY.COM] >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_responder] >>>> (0x4000): [RID#27336] Got question [password]. >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] >>>> (0x4000): [RID#27336] sss_krb5_prompter name [(null)] banner [(null)] >>>> num_prompts [1] EINVAL. >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] >>>> (0x4000): [RID#27336] Prompt [0][Password for AdmSpike_White\@ >>>> amer.company....@amer.company.com]. >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] [sss_krb5_prompter] >>>> (0x0200): [RID#27336] Prompter interface isn't used for password prompts by >>>> SSSD. >>>> >>>> * (2024-07-23 14:14:10): [krb5_child[970533]] >>>> [sss_krb5_get_init_creds_password] (0x0020): [RID#27336] 2193: >>>> [-1765328174][Pre-authentication failed: Cannot read password] >>>> >>>> ********************** BACKTRACE DUMP ENDS HERE >>>> ********************************* >>>> >>>> >>>> >>>> (2024-07-23 14:14:10): [krb5_child[970534]] [main] (0x3f7c0): >>>> [RID#27337] PAC check is requested but krb5_validate is set to false. PAC >>>> checks will be skipped. >>>> >>>> >>>> >>>> We’re ok with the krb5_validate message. We set: >>>> >>>> >>>> krb5_validate = False >>>> >>>> >>>> in /etc/sssd/sssd.conf file because KVNO of host principal gets out of >>>> sync between AD and /etc/krb5.keytab file frequently. >>>> >>>> >>>> So we’re comfortable with that one line of logging. It’s all the rest >>>> of the logging that we’d prefer not to see. >>>> >>>> >>>> How do we suppress them or eradicate the underlying condition that >>>> leads to them appearing? >>>> >>>> >>>> Here is our sssd.conf file. >>>> >>>> >>>> [nss] >>>> >>>> debug_backtrace_enabled = false >>>> >>>> #debug_level = 9 >>>> >>>> filter_groups = root mfe bladelogic_linux_us...@amer.company.com >>>> bladelogic_linux_us...@emea.company.com >>>> bladelogic_linux_us...@apac.company.com >>>> bladelogic_linux_us...@japn.company.com >>>> bladelogic_linux_us...@company.com oracle >>>> >>>> filter_users = root mfe oracle >>>> >>>> >>>> >>>> [sssd] >>>> >>>> debug_backtrace_enabled = false >>>> >>>> #debug_level = 9 >>>> >>>> domains = amer.company.com >>>> >>>> domain_resolution_order = amer.company.com, emea.company.com, >>>> apac.company.com, japn.company.com, company.com >>>> >>>> config_file_version = 2 >>>> >>>> services = nss,pam,ifp >>>> >>>> reconnection_retries = 3 >>>> >>>> full_name_format = %1$s >>>> >>>> >>>> >>>> [pam] >>>> >>>> pam_verbosity = 3 >>>> >>>> #debug_level = 9 >>>> >>>> offline_credentials_expiration = 3 >>>> >>>> >>>> >>>> [ifp] >>>> >>>> #debug_level = 9 >>>> >>>> >>>> >>>> [domain/amer.company.com] >>>> >>>> filter_groups = root mfe bladelogic_linux_users oracle >>>> >>>> sudo_provider = none >>>> >>>> debug_backtrace_enabled = false >>>> >>>> #debug_level = 9 >>>> >>>> ad_enabled_domains = company.com, amer.company.com, apac.company.com, >>>> emea.company.com, japn.company.com >>>> >>>> ad_enabled_domains = amer.company.com, apac.company.com, >>>> emea.company.com, japn.company.com, company.com >>>> >>>> # If you enable ignore_group_members, it gives a small perf win, but >>>> then >>>> >>>> # "getent group XXX" shows no members. Perf win not worth the lack of >>>> >>>> # diagnostics. >>>> >>>> #ignore_group_members = true >>>> >>>> id_provider = ad >>>> >>>> access_provider = simple >>>> >>>> auth_provider = ad >>>> >>>> default_shell = /bin/bash >>>> >>>> ldap_id_mapping = False >>>> >>>> auto_private_groups = True >>>> >>>> realmd_tags = joined-with-adcli >>>> >>>> cache_credentials = True >>>> >>>> >>>> >>>> # Not set to true; Passwords stored in this way are kept in plaintext >>>> in the kernel keyring and are potentially accessible by the root user (with >>>> difficulty). >>>> >>>> #krb5_store_password_if_offline = True >>>> >>>> fallback_homedir = /home/%u >>>> >>>> ldap_sasl_authid = host/austgcore17.us.company....@amer.company.com >>>> >>>> dyndns_update = False >>>> >>>> # Using tokengroups is usually a speed optimization >>>> >>>> #ldap_use_tokengroups = False >>>> >>>> ldap_search_base = dc=AMER,dc=COMPANY,dc=COM >>>> >>>> ldap_force_upper_case_realm = True >>>> >>>> # Set to False, because KVNO of host principal gets out of sync between >>>> >>>> # AD and /etc/krb5.keytab file frequently. >>>> >>>> krb5_validate = False >>>> >>>> simple_allow_groups = amerlinux...@amer.company.com, >>>> amerlinux...@amer.company.com, emealinux...@emea.company.com, >>>> emealinux...@emea.company.com, apaclinux...@apac.company.com, >>>> apaclinux...@apac.company.com, gbllinuxsu...@amer.company.com, >>>> bladelogic_linux_us...@amer.company.com, >>>> prd-1004873-amer-dbspotu...@amer.company.com, >>>> pptsupport...@amer.company.com, unv_legato_adm...@amer.company.com, >>>> scheduling_glo...@amer.company.com, engit-e...@amer.company.com, >>>> amerlinuxengtfss...@amer.company.com, >>>> amerlnxsvcdelaut...@apac.company.com, iasnp...@amer.company.com, >>>> fnms_...@amer.company.com, zabbix-supp...@amer.company.com, >>>> globalinfosecops...@amer.company.com, >>>> prd-amer-fnmsops...@amer.company.com, amerlinuxeng >>>> >>>> simple_allow_users = processehcprofi...@amer.company.com, >>>> svc_prdaut...@amer.company.com, processfogli...@amer.company.com, >>>> svc_prdprofogligh...@amer.company.com, >>>> service_ome_li...@amer.company.com, >>>> svc_prdesquadscou...@apac.company.com, >>>> serviceunixinst...@amer.company.com, admspike_white, oracle >>>> >>>> >>>> >>>> # look at >>>> https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html >>>> >>>> [domain/amer.company.com/company.com] >>>> >>>> ldap_search_base = dc=COMPANY,dc=COM >>>> >>>> >>>> >>>> [domain/amer.company.com/apac.company.com] >>>> >>>> ldap_search_base = dc=APAC,dc=COMPANY,dc=COM >>>> >>>> >>>> >>>> [domain/amer.company.com/emea.company.com] >>>> >>>> ldap_search_base = dc=EMEA,dc=COMPANY,dc=COM >>>> >>>> >>>> >>>> [domain/amer.company.com/japn.company.com] >>>> >>>> ldap_search_base = dc=JAPN,dc=COMPANY,dc=COM >>>> -- >>>> _______________________________________________ >>>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>> -- >>> _______________________________________________ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> -- >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
