Hi,
Thanks for the response! I thought that there was no hope...
Arch krb5 is outdated
.
I'll wait for 1.19 and post back with the result.
-----
Pawel
wt., 2 mar 2021 o 18:27 Sumit Bose <sbose(a)redhat.com> napisał(a):
On Wed, Feb 17, 2021 at 12:43:09PM +0100, Paweł Szafer wrote:
> Hi,
> I built and installed sssd from sources.
> I got more logs:
>
https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa#file-krb...
>
> Is this important? -> "PKINIT client has no configured identity; giving
up"
> In Centos there are lines in krb5 conf, I think this is the reason above
is
> giving up.
>
> pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
> spake_preauth_groups = edwards25519
>
> Are those important?
>
> This function is never called in Arch (line is from centos):
>
> [krb5_child[50670]] [sss_krb5_expire_callback_func] (0x2000): exp_time:
> [375772]
>
> How to find why this function is never called?
Hi,
it looks like I'm getting old, I forgot about
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8893 which is an issue
in MIT Kerberos which should be fixed in 1.19 but might not yet fixed in
Arch Linux.
As a workaround you can try to use 'auth_provider = krb5' but please
note the different defaults for krb5_validate and
krb5_use_enterprise_principal as mentioned in man sssd-ad.
With 'auth_provider = ad' some different MIT Kerberos APIs are used to
get more details from AD, unfortunately due to #8893 the expiration time
is lost in this case.
HTH
bye,
Sumit
>
> -----
> Pawel
>
>
>
> wt., 16 lut 2021 o 17:38 Paweł Szafer <pszafer(a)gmail.com> napisał(a):
>
> > Thanks for the response!
> >
> > Commenting out "udp_preference_limit" doesn't change anything
> > unfortunately...
> > I will rebuild sssd from source, so I can get more meaningful logs.
> >
> > -----
> > Pawel
> >
> >
> >
> > wt., 16 lut 2021 o 17:20 Sumit Bose <sbose(a)redhat.com> napisał(a):
> >
> >> On Tue, Feb 16, 2021 at 03:46:38PM +0100, Paweł Szafer wrote:
> >> > Hi again,
> >> > I installed Centos 8 to test if warning is working and on Centos it
is
> >> > working properly.
> >> >
> >> > In Arch I never get line with check
"sss_krb5_expire_callback_func"
> >> >
> >> > Here are logs and config compared:
> >> >
https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa
(can't
> >> > attach it to email, too big).
> >> > Maybe you can find out if it's something with config or maybe
Arch
> >> > compilation of krb5 or sssd.
> >>
> >> Hi,
> >>
> >> this might be possible. If seen in
> >>
> >>
https://github.com/archlinux/svntogit-community/blob/packages/sssd/trunk/...
> >> the HAVE_KRB5_SET_TRACE_CALLBACK is removed from config.h which would
> >> explain the missing krb5 trace messages in the logs.
> >>
> >> The expiration callback is used conditionally, but the related call is
> >> available since MIT Kerberos version 1.9. Can you check the configure
> >> output
> >>
> >> ......
> >> checking for krb5_get_error_message... yes
> >> checking for krb5_free_unparsed_name... yes
> >> checking for krb5_get_init_creds_opt_set_expire_callback... yes
> >> <<<----
> >> checking for krb5_get_init_creds_opt_set_fast_ccache_name... yes
> >> checking for krb5_get_init_creds_opt_set_fast_flags... yes
> >> checking for krb5_get_init_creds_opt_set_canonicalize... yes
> >> ......
> >>
> >> But even if krb5_get_init_creds_opt_set_expire_callback is not
available
> >> I would expect a message in the debug logs.
> >>
> >>
> >> In krb5.conf on Arch there is
> >>
> >> [libdefaults]
> >> udp_preference_limit = 0
> >>
> >> which is not present on Centos. I wonder if you can comment out those
> >> two lines for testing. I would be surprised if this would change
> >> anything but it is the only difference which might be related.
> >>
> >> bye,
> >> Sumit
> >>
> >> >
> >> > -----
> >> > Pawel
> >> >
> >> >
> >> >
> >> > pon., 15 lut 2021 o 11:13 Paweł Szafer <pszafer(a)gmail.com>
napisał(a):
> >> >
> >> > > yes, typo, sorry. It's valid till 20.02.2021.
> >> > > Unfortunately I cannot find anything about password expiration
in
the
> >> sssd
> >> > > logs.
> >> > >
> >> > > Pawel
> >> > >
> >> > > pon., 15 lut 2021, 11:08 użytkownik Tomas Halman <
thalman(a)redhat.com>
> >> > > napisał:
> >> > >
> >> > >>
> >> > >>
> >> > >> On Sat, Feb 13, 2021 at 6:22 PM Paweł Szafer
<pszafer(a)gmail.com>
> >> wrote:
> >> > >>
> >> > >>>
> >> > >>> > User has password valid till 20.02.2020 and yet I
don't have
any
> >> > >>>> warning.
> >> > >>>>
> >> > >>>
> >> > >> Is that just a typo? 20.02.2020 is a year ago...
> >> > >>
> >> > >> Tomas
> >> > >> _______________________________________________
> >> > >> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> >> > >> To unsubscribe send an email to
> >> sssd-users-leave(a)lists.fedorahosted.org
> >> > >> Fedora Code of Conduct:
> >> > >>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> > >> List Guidelines:
> >>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> > >> List Archives:
> >> > >>
> >>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> >> > >> Do not reply to spam on the list, report it:
> >> > >>
https://pagure.io/fedora-infrastructure
> >> > >>
> >> > >
> >>
> >> > _______________________________________________
> >> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> >> > To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
> >> > Fedora Code of Conduct:
> >>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> > List Archives:
> >>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> >> > Do not reply to spam on the list, report it:
> >>
https://pagure.io/fedora-infrastructure
> >> _______________________________________________
> >> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> >> To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
> >> Fedora Code of Conduct:
> >>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> >>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> >> Do not reply to spam on the list, report it:
> >>
https://pagure.io/fedora-infrastructure
> >>
> >
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure