Hi,

Thanks for the response! I thought that there was no hope...
Arch krb5 is outdated https://archlinux.org/packages/core/x86_64/krb5/.
I'll wait for 1.19 and post back with the result.

-----
Pawel



wt., 2 mar 2021 o 18:27 Sumit Bose <sbose@redhat.com> napisał(a):
On Wed, Feb 17, 2021 at 12:43:09PM +0100, Paweł Szafer wrote:
> Hi,
> I built and installed sssd from sources.
> I got more logs:
> https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa#file-krb5_child-log-not-working-with-krb5-trace
>
> Is this important? -> "PKINIT client has no configured identity; giving up"
> In Centos there are lines in krb5 conf, I think this is the reason above is
> giving up.
>
> pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
> spake_preauth_groups = edwards25519
>
> Are those important?
>
> This function is never called in Arch (line is from centos):
>
> [krb5_child[50670]] [sss_krb5_expire_callback_func] (0x2000): exp_time:
> [375772]
>
> How to find why this function is never called?

Hi,

it looks like I'm getting old, I forgot about
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8893 which is an issue
in MIT Kerberos which should be fixed in 1.19 but might not yet fixed in
Arch Linux.

As a workaround you can try to use 'auth_provider = krb5' but please
note the different defaults for krb5_validate and
krb5_use_enterprise_principal as mentioned in man sssd-ad.

With 'auth_provider = ad' some different MIT Kerberos APIs are used to
get more details from AD, unfortunately due to #8893 the expiration time
is lost in this case.

HTH

bye,
Sumit

>
> -----
> Pawel
>
>
>
> wt., 16 lut 2021 o 17:38 Paweł Szafer <pszafer@gmail.com> napisał(a):
>
> > Thanks for the response!
> >
> > Commenting out "udp_preference_limit" doesn't change anything
> > unfortunately...
> > I will rebuild sssd from source, so I can get more meaningful logs.
> >
> > -----
> > Pawel
> >
> >
> >
> > wt., 16 lut 2021 o 17:20 Sumit Bose <sbose@redhat.com> napisał(a):
> >
> >> On Tue, Feb 16, 2021 at 03:46:38PM +0100, Paweł Szafer wrote:
> >> > Hi again,
> >> > I installed Centos 8 to test if warning is working and on Centos it is
> >> > working properly.
> >> >
> >> > In Arch I never get line with check "sss_krb5_expire_callback_func"
> >> >
> >> > Here are logs and config compared:
> >> > https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa (can't
> >> > attach it to email, too big).
> >> > Maybe you can find out if it's something with config or maybe Arch
> >> > compilation of krb5 or sssd.
> >>
> >> Hi,
> >>
> >> this might be possible. If seen in
> >>
> >> https://github.com/archlinux/svntogit-community/blob/packages/sssd/trunk/PKGBUILD
> >> the HAVE_KRB5_SET_TRACE_CALLBACK is removed from config.h which would
> >> explain the missing krb5 trace messages in the logs.
> >>
> >> The expiration callback is used conditionally, but the related call is
> >> available since MIT Kerberos version 1.9. Can you check the configure
> >> output
> >>
> >> ......
> >> checking for krb5_get_error_message... yes
> >> checking for krb5_free_unparsed_name... yes
> >> checking for krb5_get_init_creds_opt_set_expire_callback... yes
> >> <<<----
> >> checking for krb5_get_init_creds_opt_set_fast_ccache_name... yes
> >> checking for krb5_get_init_creds_opt_set_fast_flags... yes
> >> checking for krb5_get_init_creds_opt_set_canonicalize... yes
> >> ......
> >>
> >> But even if krb5_get_init_creds_opt_set_expire_callback is not available
> >> I would expect a message in the debug logs.
> >>
> >>
> >> In krb5.conf on Arch there is
> >>
> >> [libdefaults]
> >>  udp_preference_limit = 0
> >>
> >> which is not present on Centos. I wonder if you can comment out those
> >> two lines for testing. I would be surprised if this would change
> >> anything but it is the only difference which might be related.
> >>
> >> bye,
> >> Sumit
> >>
> >> >
> >> > -----
> >> > Pawel
> >> >
> >> >
> >> >
> >> > pon., 15 lut 2021 o 11:13 Paweł Szafer <pszafer@gmail.com> napisał(a):
> >> >
> >> > > yes, typo, sorry. It's valid till 20.02.2021.
> >> > > Unfortunately I cannot find anything about password expiration in the
> >> sssd
> >> > > logs.
> >> > >
> >> > > Pawel
> >> > >
> >> > > pon., 15 lut 2021, 11:08 użytkownik Tomas Halman <thalman@redhat.com>
> >> > > napisał:
> >> > >
> >> > >>
> >> > >>
> >> > >> On Sat, Feb 13, 2021 at 6:22 PM Paweł Szafer <pszafer@gmail.com>
> >> wrote:
> >> > >>
> >> > >>>
> >> > >>> > User has password valid till 20.02.2020 and yet I don't have any
> >> > >>>> warning.
> >> > >>>>
> >> > >>>
> >> > >> Is that just a typo?  20.02.2020 is a year ago...
> >> > >>
> >> > >> Tomas
> >> > >> _______________________________________________
> >> > >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> >> > >> To unsubscribe send an email to
> >> sssd-users-leave@lists.fedorahosted.org
> >> > >> Fedora Code of Conduct:
> >> > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> > >> List Guidelines:
> >> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> > >> List Archives:
> >> > >>
> >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> >> > >> Do not reply to spam on the list, report it:
> >> > >> https://pagure.io/fedora-infrastructure
> >> > >>
> >> > >
> >>
> >> > _______________________________________________
> >> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> >> > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> >> > Fedora Code of Conduct:
> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> > List Archives:
> >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> >> > Do not reply to spam on the list, report it:
> >> https://pagure.io/fedora-infrastructure
> >> _______________________________________________
> >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> >> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> >> Fedora Code of Conduct:
> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> >> Do not reply to spam on the list, report it:
> >> https://pagure.io/fedora-infrastructure
> >>
> >

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure