Hi,
I built and installed sssd from sources.
I got more logs: https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa#file-krb5_child-log-not-working-with-krb5-trace

Is this important? -> "PKINIT client has no configured identity; giving up"
In Centos there are lines in krb5 conf, I think this is the reason above is giving up.
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
Are those important?

This function is never called in Arch (line is from centos):
[krb5_child[50670]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [375772]
How to find why this function is never called?

-----
Pawel



wt., 16 lut 2021 o 17:38 Paweł Szafer <pszafer@gmail.com> napisał(a):
Thanks for the response!

Commenting out "udp_preference_limit" doesn't change anything unfortunately...
I will rebuild sssd from source, so I can get more meaningful logs.

-----
Pawel



wt., 16 lut 2021 o 17:20 Sumit Bose <sbose@redhat.com> napisał(a):
On Tue, Feb 16, 2021 at 03:46:38PM +0100, Paweł Szafer wrote:
> Hi again,
> I installed Centos 8 to test if warning is working and on Centos it is
> working properly.
>
> In Arch I never get line with check "sss_krb5_expire_callback_func"
>
> Here are logs and config compared:
> https://gist.github.com/pszafer/7ab47cd7d4de05f965f4c8e9985af8fa (can't
> attach it to email, too big).
> Maybe you can find out if it's something with config or maybe Arch
> compilation of krb5 or sssd.

Hi,

this might be possible. If seen in
https://github.com/archlinux/svntogit-community/blob/packages/sssd/trunk/PKGBUILD
the HAVE_KRB5_SET_TRACE_CALLBACK is removed from config.h which would
explain the missing krb5 trace messages in the logs.

The expiration callback is used conditionally, but the related call is
available since MIT Kerberos version 1.9. Can you check the configure
output

......
checking for krb5_get_error_message... yes
checking for krb5_free_unparsed_name... yes
checking for krb5_get_init_creds_opt_set_expire_callback... yes      <<<----
checking for krb5_get_init_creds_opt_set_fast_ccache_name... yes
checking for krb5_get_init_creds_opt_set_fast_flags... yes
checking for krb5_get_init_creds_opt_set_canonicalize... yes
......

But even if krb5_get_init_creds_opt_set_expire_callback is not available
I would expect a message in the debug logs.


In krb5.conf on Arch there is

[libdefaults]
 udp_preference_limit = 0

which is not present on Centos. I wonder if you can comment out those
two lines for testing. I would be surprised if this would change
anything but it is the only difference which might be related.

bye,
Sumit

>
> -----
> Pawel
>
>
>
> pon., 15 lut 2021 o 11:13 Paweł Szafer <pszafer@gmail.com> napisał(a):
>
> > yes, typo, sorry. It's valid till 20.02.2021.
> > Unfortunately I cannot find anything about password expiration in the sssd
> > logs.
> >
> > Pawel
> >
> > pon., 15 lut 2021, 11:08 użytkownik Tomas Halman <thalman@redhat.com>
> > napisał:
> >
> >>
> >>
> >> On Sat, Feb 13, 2021 at 6:22 PM Paweł Szafer <pszafer@gmail.com> wrote:
> >>
> >>>
> >>> > User has password valid till 20.02.2020 and yet I don't have any
> >>>> warning.
> >>>>
> >>>
> >> Is that just a typo?  20.02.2020 is a year ago...
> >>
> >> Tomas
> >> _______________________________________________
> >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> >> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> >> Fedora Code of Conduct:
> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> >> Do not reply to spam on the list, report it:
> >> https://pagure.io/fedora-infrastructure
> >>
> >

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure