Discussion:
[SSSD] Announcing SSSD 2.5.0
Pavel Březina
2021-05-10 13:49:27 UTC
Permalink
# SSSD 2.5.0

The SSSD team is proud to announce the release of version 2.5.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.5.0

See the full release notes at:
https://sssd.io/release-notes/sssd-2.5.0.html

RPM packages will be made available for Fedora shortly.

## Feedback

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

## Highlights

### General information

* `secrets` support is deprecated and will be removed in one of the next
versions of SSSD.
* `local-provider` is deprecated and will be removed in one of the next
versions of SSSD.
* SSSD's implementation of `libwbclient` was removed as incompatible
with modern version of Samba.
* This release deprecates `pcre1` support. This support will be removed
completely in following releases.
* A home directory from a dedicated user override, either local or
centrally managed by IPA, will have a higher precedence than the
`override_homedir` option.
* `debug-to-files`, `debug-to-stderr` command line and undocumented
`debug_to_files` config options were removed.

### New features

* Added support for automatic renewal of renewable TGTs that are stored
in KCM ccache. This can be enabled by setting `tgt_renewal = true`. See
the sssd-kcm man page for more details. This feature requires MIT
Kerberos krb5-1.19-0.beta2.3 or higher.
* Backround sudo periodic tasks (smart and full refresh) periods are now
extended by a random offset to spread the load on the server in
environments with many clients. The random offset can be changed with
`ldap_sudo_random_offset`.
* Completing a sudo full refresh now postpones the smart refresh by
`ldap_sudo_smart_refresh_interval` value. This ensure that the smart
refresh is not run too soon after a successful full refresh.
* If `debug_backtrace_enabled` is set to `true` then on any error all
prior debug messages (to some limit) are printed even if `debug_level`
is set to low value (for details see `man sssd.conf`:
`debug_backtrace_enabled` description).
* Besides trusted domains known by the forest root, trusted domains
known by the local domain are used as well.
* New configuration option `offline_timeout_random_offset` to control
random factor in backend probing interval when SSSD is in offline mode.

### Important fixes

* `ad_gpo_implicit_deny` is now respected even if there are no
applicable GPOs present
* During the IPA subdomains request a failure in reading a single
specific configuration option is not considered fatal and the request
will continue
* unknown IPA id-range types are not considered as an error
* SSSD spec file `%postun` no longer tries to restart services that can
not be restarted directly to stop produce systemd warnings

### Configuration changes

* Added `tgt_renewal`, `tgt_renewal_inherit`, and `krb5_*` KCM options
to enable, and tune behavior of new KCM renewal feature.
* Added `ldap_sudo_random_offset` (default to `30`) to add a random
offset to backround sudo periodic tasks (smart and full refresh).
* Introduced new option 'debug_backtrace_enabled' to control debug
backtrace.
* Added `offline_timeout_random_offset` configuration option to control
maximum size of random offset added to offline timeout SSSD backend
probing interval.
* Long time deprecated and undocumented `debug_to_files` option was removed.
_______________________________________________
sssd-devel mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-***@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org
Do not reply to spam on the list
Pavel Březina
2021-05-10 15:48:45 UTC
Permalink
- ssh from non sssd/krb machine to new sssd machine, entered password
~ $ klist
Ticket cache: KCM:1001
Valid starting Expires Service principal
renew until 17/05/21 16:47:32
~ $ ksu
ksu: Ccache function not supported: not implemented while selecting the best principal
I also have mit-kr5b master installed.
Did I miss something?
krb5 master contains:
https://github.com/krb5/krb5/commit/795ebba8c039be172ab93cd41105c73ffdba0fdb

but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to
its own function that was used before this commit.
(2021-05-10 17:09:47): [kcm] [get_client_cred] (0x4000): Client [0x56377e20ead0][14] creds: euid[1001] egid[100] pid[5871] cmd_line['ksu'].
SELINUX_getpeercon failed [95][Operation not supported].
Please, consider enabling SELinux in your system.
(2021-05-10 17:09:47): [kcm] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x56377e20ead0][14]
(2021-05-10 17:09:47): [kcm] [accept_fd_handler] (0x0400): Client [0x56377e20ead0][14] connected!
(2021-05-10 17:09:47): [kcm] [kcm_input_parse] (0x1000): Received message with length 4
(2021-05-10 17:09:47): [kcm] [kcm_get_opt] (0x2000): The client requested operation 20
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x0400): KCM operation GET_DEFAULT_CACHE
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x1000): 0 bytes on KCM input
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x0200): Adding request by 1001 to the wait queue
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_get] (0x1000): No existing queue for this ID
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x1000): Queue was empty, running the request immediately
(2021-05-10 17:09:47): [kcm] [kcm_op_get_default_ccache_send] (0x1000): Getting client's default ccache
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_get_default_send] (0x2000): Getting the default ccache
(2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/
(2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/default]
(2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/default] is [cn=default,cn=1001,cn=persistent,cn=kcm]
(2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/default
(2021-05-10 17:09:47): [kcm] [secdb_dfl_url_req] (0x2000): Created request for URL /kcm/persistent/1001/default
(2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x0400): Retrieving a secret from [persistent/1001/default]
(2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=default,cn=1001,cn=persistent,cn=kcm] with scope=base
(2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x1000): No secret found
(2021-05-10 17:09:47): [kcm] [sec_get] (0x0040): Cannot retrieve the secret [2]: No such file or directory
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Listing all ccaches
(2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/
(2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/]
(2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/] is [cn=ccache,cn=1001,cn=persistent,cn=kcm]
(2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/
(2021-05-10 17:09:47): [kcm] [secdb_container_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x0400): Listing keys at [persistent/1001/ccache/]
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=subtree
(2021-05-10 17:09:47): [kcm] [local_dn_to_path] (0x2000): Secrets path for [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] is [5005e896-
bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x1000): Returning 1 secrets
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Found 1 ccaches
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_list_send] (0x2000): Listing all caches done
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_name_by_uuid_send] (0x2000): Translating UUID to name
(2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/
(2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/]
(2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/] is [cn=ccache,cn=1001,cn=persistent,cn=kcm]
(2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/
(2021-05-10 17:09:47): [kcm] [secdb_container_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x0400): Listing keys at [persistent/1001/ccache/]
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=subtree
(2021-05-10 17:09:47): [kcm] [local_dn_to_path] (0x2000): Secrets path for [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] is [5005e896-
bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x1000): Returning 1 secrets
(2021-05-10 17:09:47): [kcm] [key_by_uuid] (0x2000): Found key 5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_name_by_uuid_send] (0x2000): Got ccache by UUID
(2021-05-10 17:09:47): [kcm] [kcm_op_get_default_ccache_reply_step] (0x2000): The default ccache is 1001
(2021-05-10 17:09:47): [kcm] [kcm_cmd_done] (0x0400): KCM operation GET_DEFAULT_CACHE returned [0]: Success
(2021-05-10 17:09:47): [kcm] [kcm_send_reply] (0x2000): Sending a reply
(2021-05-10 17:09:47): [kcm] [kcm_output_construct] (0x1000): Sending a reply with 9 bytes of payload
(2021-05-10 17:09:47): [kcm] [queue_removal_cb] (0x0200): Removed queue for 1001
(2021-05-10 17:09:47): [kcm] [kcm_send] (0x2000): All data sent!
(2021-05-10 17:09:47): [kcm] [kcm_input_parse] (0x1000): Received message with length 9
(2021-05-10 17:09:47): [kcm] [kcm_get_opt] (0x2000): The client requested operation 8
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x0400): KCM operation GET_PRINCIPAL
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x1000): 5 bytes on KCM input
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x0200): Adding request by 1001 to the wait queue
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_get] (0x1000): No existing queue for this ID
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x1000): Queue was empty, running the request immediately
(2021-05-10 17:09:47): [kcm] [kcm_op_get_principal_send] (0x1000): Requested principal 1001
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_getbyname_send] (0x2000): Getting ccache by name
(2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/
(2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/]
(2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/] is [cn=ccache,cn=1001,cn=persistent,cn=kcm]
(2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/
(2021-05-10 17:09:47): [kcm] [secdb_container_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x0400): Listing keys at [persistent/1001/ccache/]
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=subtree
(2021-05-10 17:09:47): [kcm] [local_dn_to_path] (0x2000): Secrets path for [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] is [5005e896-
bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x1000): Returning 1 secrets
(2021-05-10 17:09:47): [kcm] [key_by_name] (0x2000): Found key 5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/
(2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001] is [cn=5005e896-bdfb-4116-8a11-
eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm]
(2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [secdb_cc_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [secdb_cc_key_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x0400): Retrieving a secret from [persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-
1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=base
(2021-05-10 17:09:47): [kcm] [secdb_get_cc] (0x2000): Fetched the ccache
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_getbyname_send] (0x2000): Got ccache by name
(2021-05-10 17:09:47): [kcm] [kcm_cmd_done] (0x0400): KCM operation GET_PRINCIPAL returned [0]: Success
(2021-05-10 17:09:47): [kcm] [kcm_send_reply] (0x2000): Sending a reply
(2021-05-10 17:09:47): [kcm] [kcm_output_construct] (0x1000): Sending a reply with 37 bytes of payload
(2021-05-10 17:09:47): [kcm] [queue_removal_cb] (0x0200): Removed queue for 1001
(2021-05-10 17:09:47): [kcm] [kcm_send] (0x2000): All data sent!
(2021-05-10 17:09:47): [kcm] [kcm_input_parse] (0x1000): Received message with length 9
(2021-05-10 17:09:47): [kcm] [kcm_get_opt] (0x2000): The client requested operation 8
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x0400): KCM operation GET_PRINCIPAL
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x1000): 5 bytes on KCM input
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x0200): Adding request by 1001 to the wait queue
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_get] (0x1000): No existing queue for this ID
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x1000): Queue was empty, running the request immediately
(2021-05-10 17:09:47): [kcm] [kcm_op_get_principal_send] (0x1000): Requested principal 1001
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_getbyname_send] (0x2000): Getting ccache by name
(2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/
(2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/]
(2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/] is [cn=ccache,cn=1001,cn=persistent,cn=kcm]
(2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/
(2021-05-10 17:09:47): [kcm] [secdb_container_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x0400): Listing keys at [persistent/1001/ccache/]
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=subtree
(2021-05-10 17:09:47): [kcm] [local_dn_to_path] (0x2000): Secrets path for [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] is [5005e896-
bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x1000): Returning 1 secrets
(2021-05-10 17:09:47): [kcm] [key_by_name] (0x2000): Found key 5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/
(2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001] is [cn=5005e896-bdfb-4116-8a11-
eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm]
(2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [secdb_cc_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [secdb_cc_key_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x0400): Retrieving a secret from [persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-
1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=base
(2021-05-10 17:09:47): [kcm] [secdb_get_cc] (0x2000): Fetched the ccache
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_getbyname_send] (0x2000): Got ccache by name
(2021-05-10 17:09:47): [kcm] [kcm_cmd_done] (0x0400): KCM operation GET_PRINCIPAL returned [0]: Success
(2021-05-10 17:09:47): [kcm] [kcm_send_reply] (0x2000): Sending a reply
(2021-05-10 17:09:47): [kcm] [kcm_output_construct] (0x1000): Sending a reply with 37 bytes of payload
(2021-05-10 17:09:47): [kcm] [queue_removal_cb] (0x0200): Removed queue for 1001
(2021-05-10 17:09:47): [kcm] [kcm_send] (0x2000): All data sent!
(2021-05-10 17:09:47): [kcm] [kcm_input_parse] (0x1000): Received message with length 9
(2021-05-10 17:09:47): [kcm] [kcm_get_opt] (0x2000): The client requested operation 8
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x0400): KCM operation GET_PRINCIPAL
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x1000): 5 bytes on KCM input
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x0200): Adding request by 1001 to the wait queue
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_get] (0x1000): No existing queue for this ID
(2021-05-10 17:09:47): [kcm] [kcm_op_queue_send] (0x1000): Queue was empty, running the request immediately
(2021-05-10 17:09:47): [kcm] [kcm_op_get_principal_send] (0x1000): Requested principal 1001
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_getbyname_send] (0x2000): Getting ccache by name
(2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/
(2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/]
(2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/] is [cn=ccache,cn=1001,cn=persistent,cn=kcm]
(2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/
(2021-05-10 17:09:47): [kcm] [secdb_container_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x0400): Listing keys at [persistent/1001/ccache/]
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=subtree
(2021-05-10 17:09:47): [kcm] [local_dn_to_path] (0x2000): Secrets path for [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] is [5005e896-
bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [sss_sec_list] (0x1000): Returning 1 secrets
(2021-05-10 17:09:47): [kcm] [key_by_name] (0x2000): Found key 5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [sss_sec_map_path] (0x1000): Mapping prefix /kcm/
(2021-05-10 17:09:47): [kcm] [kcm_map_url_to_path] (0x1000): User-specific KCM path is [/kcm/persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [local_db_dn] (0x2000): Local path for [persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001] is [cn=5005e896-bdfb-4116-8a11-
eedacad1fa5b-1001,cn=ccache,cn=1001,cn=persistent,cn=kcm]
(2021-05-10 17:09:47): [kcm] [sss_sec_new_req] (0x1000): Local DB path is persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [secdb_cc_url_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [secdb_cc_key_req] (0x2000): Created request for URL /kcm/persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001
(2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x0400): Retrieving a secret from [persistent/1001/ccache/5005e896-bdfb-4116-8a11-eedacad1fa5b-1001]
(2021-05-10 17:09:47): [kcm] [sss_sec_get] (0x2000): Searching for [(|(type=simple)(type=binary))] at [cn=5005e896-bdfb-4116-8a11-eedacad1fa5b-
1001,cn=ccache,cn=1001,cn=persistent,cn=kcm] with scope=base
(2021-05-10 17:09:47): [kcm] [secdb_get_cc] (0x2000): Fetched the ccache
(2021-05-10 17:09:47): [kcm] [ccdb_secdb_getbyname_send] (0x2000): Got ccache by name
(2021-05-10 17:09:47): [kcm] [kcm_cmd_done] (0x0400): KCM operation GET_PRINCIPAL returned [0]: Success
(2021-05-10 17:09:47): [kcm] [kcm_send_reply] (0x2000): Sending a reply
(2021-05-10 17:09:47): [kcm] [kcm_output_construct] (0x1000): Sending a reply with 37 bytes of payload
(2021-05-10 17:09:47): [kcm] [queue_removal_cb] (0x0200): Removed queue for 1001
(2021-05-10 17:09:47): [kcm] [kcm_send] (0x2000): All data sent!
(2021-05-10 17:09:47): [kcm] [kcm_input_parse] (0x1000): Received message with length 132
(2021-05-10 17:09:47): [kcm] [kcm_get_opt] (0x2000): The client requested operation 7
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x0400): KCM operation RETRIEVE
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x1000): 128 bytes on KCM input
(2021-05-10 17:09:47): [kcm] [kcm_cmd_send] (0x0020): KCM op RETRIEVE has no handler
(2021-05-10 17:09:47): [kcm] [kcm_cmd_request_done] (0x0040): KCM operation failed [1432158292]: KCM operation not implemented
(2021-05-10 17:09:47): [kcm] [kcm_reply_error] (0x0040): KCM operation returns failure [1432158292]: KCM operation not implemented
(2021-05-10 17:09:47): [kcm] [kcm_failbuf_construct] (0x1000): Sent reply with error -1765328137
(2021-05-10 17:09:47): [kcm] [kcm_send] (0x2000): All data sent!
(2021-05-10 17:09:47): [kcm] [kcm_recv] (0x4000): Client closed connection.
(2021-05-10 17:09:47): [kcm] [client_close_fn] (0x2000): Terminated client [0x56377e20ead0][14]
_______________________________________________
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-devel mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-***@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fed
Joakim Tjernlund
2021-05-10 16:01:27 UTC
Permalink
- ssh from non sssd/krb machine to new sssd machine, entered password
~ $ klist
Ticket cache: KCM:1001
Valid starting Expires Service principal
renew until 17/05/21 16:47:32
~ $ ksu
ksu: Ccache function not supported: not implemented while selecting the best principal
I also have mit-kr5b master installed.
Did I miss something?
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C6711baf1f6ab4e4cfb8f08d913cb27bf%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562585534486850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=e0rLEUFUeX0hgdo7BlVWvc5%2F%2FqV6dNF25FtZEo4E1n4%3D&reserved=0
but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to
its own function that was used before this commit.
hmm, not sure what to do here, downgrade mit-krb5? Then I don't get the new KCM feature.
The trace didn't help any? Here is a ssh trace in case that helps:

KRB5_TRACE=/dev/stdout ssh devsrv
[7615] 1620662408.437070: ccselect module realm chose cache KCM:1001 with client principal ***@INFINERA.COM for server principal host/***@INFINERA.COM
[7615] 1620662408.437071: Getting credentials ***@INFINERA.COM -> host/***@INFINERA.COM using ccache KCM:1001
[7615] 1620662408.437072: Retrieving ***@INFINERA.COM -> krb5_ccache_conf_data/***@X-CACHECONF: from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented
[7615] 1620662408.437073: Retrieving ***@INFINERA.COM -> host/***@INFINERA.COM from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented
[7615] 1620662408.437079: ccselect module realm chose cache KCM:1001 with client principal ***@INFINERA.COM for server principal host/***@INFINERA.COM
[7615] 1620662408.437080: Getting credentials ***@INFINERA.COM -> host/***@INFINERA.COM using ccache KCM:1001
[7615] 1620662408.437081: Retrieving ***@INFINERA.COM -> krb5_ccache_conf_data/***@X-CACHECONF: from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented
[7615] 1620662408.437082: Retrieving ***@INFINERA.COM -> host/***@INFINERA.COM from KCM:1001 with result: -1765328137/Ccache function not supported: not implemented
(***@devsrv) Password:

Jocke

_______________________________________________
sssd-devel mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-***@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastruc
Joakim Tjernlund
2021-05-10 18:10:22 UTC
Permalink
- ssh from non sssd/krb machine to new sssd machine, entered password
~ $ klist
Ticket cache: KCM:1001
Valid starting Expires Service principal
renew until 17/05/21 16:47:32
~ $ ksu
ksu: Ccache function not supported: not implemented while selecting the best principal
I also have mit-kr5b master installed.
Did I miss something?
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C93db566696a14db59cce08d913cce404%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562592992020361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8lOd0n%2BRZkuSka%2FSJLMMz7Nz4avCJeenpzz6XhbV5PY%3D&reserved=0
but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to
its own function that was used before this commit.
FYI, reverting that commit makes it work.

Jocke

_______________________________________________
sssd-devel mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-***@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-in
Pavel Březina
2021-05-11 08:25:45 UTC
Permalink
Post by Joakim Tjernlund
- ssh from non sssd/krb machine to new sssd machine, entered password
~ $ klist
Ticket cache: KCM:1001
Valid starting Expires Service principal
renew until 17/05/21 16:47:32
~ $ ksu
ksu: Ccache function not supported: not implemented while selecting the best principal
I also have mit-kr5b master installed.
Did I miss something?
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C93db566696a14db59cce08d913cce404%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562592992020361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8lOd0n%2BRZkuSka%2FSJLMMz7Nz4avCJeenpzz6XhbV5PY%3D&reserved=0
but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to
its own function that was used before this commit.
FYI, reverting that commit makes it work.
Thanks for the information. Please, open a ticket against krb5.
Post by Joakim Tjernlund
Jocke
_______________________________________________
sssd-devel mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-***@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org
Do not reply to spam on the list, report it:
Joakim Tjernlund
2021-05-11 09:09:03 UTC
Permalink
Post by Pavel Březina
Post by Joakim Tjernlund
- ssh from non sssd/krb machine to new sssd machine, entered password
~ $ klist
Ticket cache: KCM:1001
Valid starting Expires Service principal
renew until 17/05/21 16:47:32
~ $ ksu
ksu: Ccache function not supported: not implemented while selecting the best principal
I also have mit-kr5b master installed.
Did I miss something?
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C14ec542efa8846b7f5c808d9145665e4%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637563183573713658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CWtAfLIp%2F29T2lL1VvmbtcI1jJMzsHL7xbhjh2KZWCk%3D&reserved=0
but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to
its own function that was used before this commit.
FYI, reverting that commit makes it work.
Thanks for the information. Please, open a ticket against krb5.
Easier said than done. I could not find an issue tracker for mit-krb5, is there one?
Found a bug email list I mailed but not sure it will get through(I am not joining yet another list just to report a bug)

Jocke
_______________________________________________
sssd-devel mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-***@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org
Do not reply to spam on the list,
Joakim Tjernlund
2021-05-11 09:18:34 UTC
Permalink
Post by Joakim Tjernlund
Post by Pavel Březina
Post by Joakim Tjernlund
- ssh from non sssd/krb machine to new sssd machine, entered password
~ $ klist
Ticket cache: KCM:1001
Valid starting Expires Service principal
renew until 17/05/21 16:47:32
~ $ ksu
ksu: Ccache function not supported: not implemented while selecting the best principal
I also have mit-kr5b master installed.
Did I miss something?
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fcommit%2F795ebba8c039be172ab93cd41105c73ffdba0fdb&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C14ec542efa8846b7f5c808d9145665e4%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637563183573713658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CWtAfLIp%2F29T2lL1VvmbtcI1jJMzsHL7xbhjh2KZWCk%3D&reserved=0
but RETRIEVE is not implemented in sssd-kcm. Kerberos should fallback to
its own function that was used before this commit.
FYI, reverting that commit makes it work.
Thanks for the information. Please, open a ticket against krb5.
Easier said than done. I could not find an issue tracker for mit-krb5, is there one?
Found a bug email list I mailed but not sure it will get through(I am not joining yet another list just to report a bug)
 Jocke
Managed to add a comment here:
https://github.com/krb5/krb5/pull/1178
_______________________________________________
sssd-devel mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-***@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-***@lists.fedorahosted.org
Do not reply to spam on the list, report it: https

Loading...