On Tue, Mar 17, 2020 at 11:17:34AM -0000, Hristina Marosevic wrote:
On Tue, Mar 17, 2020 at 09:41:16AM -0000, Hristina Marosevic wrote: ....
Hi,
so p11_child is really called but as you said earlier there are no logs.
This might e.g. be a permission issue, please check the permissions on /var/log/sssd if you see anything odd. For me it looks like:
drwxr-x---. 2 root root system_u:object_r:sssd_var_log_t:s0 4096 Mar 17 09:09 . drwxr-xr-x. 12 root root system_u:object_r:var_log_t:s0 4096 Mar 15 03:27 .. -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 221452 Mar 17 09:19 krb5_child.log -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 1069023 Mar 17 11:16 ldap_child.log -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar 16 10:31 p11_child.log -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 14816 Mar 17 09:19 selinux_child.log -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 623 Mar 16 10:31 sssd.log -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar 16 10:31 sssd_nss.log -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar 16 10:31 sssd_pac.log -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 490679 Mar 17 11:18 sssd_pam.log -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 6723166 Mar 17 11:18 sssd_ipa.devel.log -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar 16 10:31 sssd_ssh.log -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar 16 10:31 sssd_sudo.log
The next step would be to check what failed with strace. For this call
mkdir /tmp/strace_data strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof /usr/libexec/sssd/sssd_ssh)
in one terminal can call 'sss_ssh_authorizedkeys IIN32000000001' in a different terminal. After calling sss_ssh_authorizedkeys you can stop the strace command with CTRL-C. In /tmp/strace_data there should be at least 2 files, one of the main sssd_ssh process and the other for p11_child, please send both (if there are more than 2 please send all).
bye, Sumit
There are two files:
after executing strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof /usr/libexec/sssd/sssd_ssh) strace_.24180 was generated.
....
write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]] [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP.\n", 128) = 128 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]] [parse_cert_verify_opts] (0x0020): Found 'no_verification' option, disabling verification completely. This should not be used in production.\n", 194) = 194 write(2, "Cannot run verification with option 'no_verification'.\n", 55) = 55
Hi,
I'm sorry, I haven't read one of your earlier emails carefully enough, please do not use "certificate_verification = no_ocsp, no_verification" but only
certificate_verification = no_verification
'no_ocsp' implies verification but without OCSP so using both options is an inconsistency.
bye, Sumit
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]] [main] (0x0020): p11_child failed!\n", 88) = 88 close(1) = 0 exit_group(1) = ? +++ exited with 1 +++ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...