On Tue, Mar 17, 2020 at 11:17:34AM -0000, Hristina Marosevic wrote:
> On Tue, Mar 17, 2020 at 09:41:16AM -0000, Hristina Marosevic
wrote:
> ....
>
> Hi,
>
> so p11_child is really called but as you said earlier there are no logs.
>
> This might e.g. be a permission issue, please check the permissions on
> /var/log/sssd if you see anything odd. For me it looks like:
>
> drwxr-x---. 2 root root system_u:object_r:sssd_var_log_t:s0 4096 Mar 17
09:09 .
> drwxr-xr-x. 12 root root system_u:object_r:var_log_t:s0 4096 Mar 15
03:27 ..
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 221452 Mar 17
09:19
> krb5_child.log
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 1069023 Mar 17
11:16
> ldap_child.log
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar 16
10:31
> p11_child.log
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 14816 Mar 17
09:19
> selinux_child.log
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 623 Mar 16
10:31
> sssd.log
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar 16
10:31
> sssd_nss.log
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar 16
10:31
> sssd_pac.log
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 490679 Mar 17
11:18
> sssd_pam.log
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 6723166 Mar 17
11:18
> sssd_ipa.devel.log
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar 16
10:31
> sssd_ssh.log
> -rw-------. 1 root root system_u:object_r:sssd_var_log_t:s0 0 Mar 16
10:31
> sssd_sudo.log
>
>
> The next step would be to check what failed with strace. For this call
>
> mkdir /tmp/strace_data
> strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof
/usr/libexec/sssd/sssd_ssh)
>
> in one terminal can call 'sss_ssh_authorizedkeys IIN32000000001' in a
different
> terminal. After calling sss_ssh_authorizedkeys you can stop the strace command
> with CTRL-C. In /tmp/strace_data there should be at least 2 files, one of the
> main sssd_ssh process and the other for p11_child, please send both (if there
> are more than 2 please send all).
>
> bye,
> Sumit
There are two files:
after executing strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof
/usr/libexec/sssd/sssd_ssh) strace_.24180 was generated.
....
write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]]
[parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling
OCSP.\n", 128) = 128
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]]
[parse_cert_verify_opts] (0x0020): Found 'no_verification' option, disabling
verification completely. This should not be used in production.\n", 194) = 194
write(2, "Cannot run verification with option 'no_verification'.\n",
55) = 55
Hi,
I'm sorry, I haven't read one of your earlier emails carefully enough,
please do not use "certificate_verification = no_ocsp, no_verification"
but only
certificate_verification = no_verification
'no_ocsp' implies verification but without OCSP so using both options is
an inconsistency.
bye,
Sumit
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931,
...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539]]]] [main] (0x0020):
p11_child failed!\n", 88) = 88
close(1) = 0
exit_group(1) = ?
+++ exited with 1 +++
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...