On Thu, 2022-08-25 at 18:44 +0100, Sam Morris via FreeIPA-users wrote:
I thought krb5-pkinit is only needed if you want to use PKINIT? sssd uses the host/$HOSTNAME principal to establish a FAST channel for pre-authentication, so I don't see how krb5-pkinit affects things?
My goal there was to just get rid of the error. We're not using smartcards so it didn't really matter that an error for the missing shared library was recorded. It's hard to tell when an error in the log is actually just informational or causing other real problems.
I thought 'services = pac' was the default in Debian & that Ubuntu would inherit this?
On a fresh Ubuntu 22 host after installing freeipa-client and enrolling it into freeipa, the services line that gets added to sssd.conf contains more than just "pac". That in and of itself is a problem in Ubuntu because the sockets for the responders are enabled by default. After figuring out why I was seeing startup errors in the journal, I nuked the whole line. But, that broke the pac responder and I didn't catch that until a couple of days ago.
I did try socket-activating the pac responder, but I found that sssd would always launch its own pac responder in addition to the socket-activated one, so sssd-pac.socket is left disabled by default.
Yes, that's what I ended up doing a couple of days ago.
This could be caused by Ubuntu's extremely annoying login script that looks up every member of every AD group that you're a member of when you log in.
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1863894
Apply my modification to my script or just disable it and see if your logins are any quicker.
Ah, that explains why I was seeing in the logs every single user of every group being looked up. I was trying to figure out why Ubuntu was doing that. I surmised it had to do with some customization in Ubuntu's login procedure. I just didn't know where to look.
Thank you for that tip. I'll give your changes a shot.