Is this important? -> "PKINIT client has no configured identity; giving up"
In Centos there are lines in krb5 conf, I think this is the reason above is
giving up.
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
Are those important?
This function is never called in Arch (line is from centos):
[krb5_child[50670]] [sss_krb5_expire_callback_func] (0x2000): exp_time:
[375772]
How to find why this function is never called?
-----
Pawel
wt., 16 lut 2021 o 17:38 Paweł Szafer <pszafer(a)gmail.com> napisał(a):
Thanks for the response!
Commenting out "udp_preference_limit" doesn't change anything
unfortunately...
I will rebuild sssd from source, so I can get more meaningful logs.
-----
Pawel
wt., 16 lut 2021 o 17:20 Sumit Bose <sbose(a)redhat.com> napisał(a):
> On Tue, Feb 16, 2021 at 03:46:38PM +0100, Paweł Szafer wrote:
> > Hi again,
> > I installed Centos 8 to test if warning is working and on Centos it is
> > working properly.
> >
> > In Arch I never get line with check "sss_krb5_expire_callback_func"
> >
> > Here are logs and config compared:
> >
https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa (can't
> > attach it to email, too big).
> > Maybe you can find out if it's something with config or maybe Arch
> > compilation of krb5 or sssd.
>
> Hi,
>
> this might be possible. If seen in
>
>
https://github.com/archlinux/svntogit-community/blob/packages/sssd/trunk/...
> the HAVE_KRB5_SET_TRACE_CALLBACK is removed from config.h which would
> explain the missing krb5 trace messages in the logs.
>
> The expiration callback is used conditionally, but the related call is
> available since MIT Kerberos version 1.9. Can you check the configure
> output
>
> ......
> checking for krb5_get_error_message... yes
> checking for krb5_free_unparsed_name... yes
> checking for krb5_get_init_creds_opt_set_expire_callback... yes
> <<<----
> checking for krb5_get_init_creds_opt_set_fast_ccache_name... yes
> checking for krb5_get_init_creds_opt_set_fast_flags... yes
> checking for krb5_get_init_creds_opt_set_canonicalize... yes
> ......
>
> But even if krb5_get_init_creds_opt_set_expire_callback is not available
> I would expect a message in the debug logs.
>
>
> In krb5.conf on Arch there is
>
> [libdefaults]
> udp_preference_limit = 0
>
> which is not present on Centos. I wonder if you can comment out those
> two lines for testing. I would be surprised if this would change
> anything but it is the only difference which might be related.
>
> bye,
> Sumit
>
> >
> > -----
> > Pawel
> >
> >
> >
> > pon., 15 lut 2021 o 11:13 Paweł Szafer <pszafer(a)gmail.com> napisał(a):
> >
> > > yes, typo, sorry. It's valid till 20.02.2021.
> > > Unfortunately I cannot find anything about password expiration in the
> sssd
> > > logs.
> > >
> > > Pawel
> > >
> > > pon., 15 lut 2021, 11:08 użytkownik Tomas Halman
<thalman(a)redhat.com>
> > > napisał:
> > >
> > >>
> > >>
> > >> On Sat, Feb 13, 2021 at 6:22 PM Paweł Szafer <pszafer(a)gmail.com>
> wrote:
> > >>
> > >>>
> > >>> > User has password valid till 20.02.2020 and yet I don't
have any
> > >>>> warning.
> > >>>>
> > >>>
> > >> Is that just a typo? 20.02.2020 is a year ago...
> > >>
> > >> Tomas
> > >> _______________________________________________
> > >> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > >> To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> > >> Fedora Code of Conduct:
> > >>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > >> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > >> List Archives:
> > >>
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > >> Do not reply to spam on the list, report it:
> > >>
https://pagure.io/fedora-infrastructure
> > >>
> > >
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
>