From 75a5e1c7a80eaa921cb0b0531d685c9c7ed12127 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 14 Jun 2021 21:25:23 +0200 Subject: [PATCH 1/4] krb5_child: reduce log severity in sss_send_pac() in case PAC responder isn't running. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Pavel Březina Reviewed-by: Sumit Bose --- src/providers/krb5/krb5_child.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 713e90f83..4e55d9a37 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -223,7 +223,10 @@ static errno_t sss_send_pac(krb5_authdata **pac_authdata) ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data, NULL, NULL, &errnop); - if (ret != NSS_STATUS_SUCCESS || errnop != 0) { + if (ret == NSS_STATUS_UNAVAIL) { + DEBUG(SSSDBG_MINOR_FAILURE, "failed to contact PAC responder\n"); + return EIO; + } else if (ret != NSS_STATUS_SUCCESS || errnop != 0) { DEBUG(SSSDBG_OP_FAILURE, "sss_pac_make_request failed [%d][%d].\n", ret, errnop); return EIO; -- 2.26.3 From 9cfcbe6edc451d7187e0a89a6a5bd7125a10f1c8 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 14 Jun 2021 21:47:52 +0200 Subject: [PATCH 2/4] secrets: reduce log severity in local_db_create() in case entry already exists since this is expected during normal oprations. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Pavel Březina Reviewed-by: Sumit Bose --- src/util/secrets/secrets.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c index 6e99e291d..f12b615f8 100644 --- a/src/util/secrets/secrets.c +++ b/src/util/secrets/secrets.c @@ -476,7 +476,7 @@ static int local_db_create(struct sss_sec_req *req) ret = ldb_add(req->sctx->ldb, msg); if (ret != LDB_SUCCESS) { if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) { - DEBUG(SSSDBG_OP_FAILURE, + DEBUG(SSSDBG_FUNC_DATA, "Secret %s already exists\n", ldb_dn_get_linearized(msg->dn)); } else { DEBUG(SSSDBG_CRIT_FAILURE, -- 2.26.3 From 32a1fbfb262ea9657fa268f7ce09ef6e942b0829 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 14 Jun 2021 21:56:16 +0200 Subject: [PATCH 3/4] KCM: use SSSDBG_MINOR_FAILURE for ERR_KCM_OP_NOT_IMPLEMENTED MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Pavel Březina Reviewed-by: Sumit Bose --- src/responder/kcm/kcmsrv_cmd.c | 13 +++++++++---- src/responder/kcm/kcmsrv_ops.c | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c index 3ad17ef43..49518920b 100644 --- a/src/responder/kcm/kcmsrv_cmd.c +++ b/src/responder/kcm/kcmsrv_cmd.c @@ -195,7 +195,7 @@ static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf, op_io->op = kcm_get_opt(be16toh(opcode_be)); if (op_io->op == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, + DEBUG(SSSDBG_MINOR_FAILURE, "Did not find a KCM operation handler for the requested opcode\n"); return ERR_KCM_OP_NOT_IMPLEMENTED; } @@ -312,7 +312,8 @@ static void kcm_reply_error(struct cli_ctx *cctx, errno_t ret; krb5_error_code kerr; - DEBUG(SSSDBG_OP_FAILURE, + DEBUG(retcode == ERR_KCM_OP_NOT_IMPLEMENTED ? + SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE, "KCM operation returns failure [%d]: %s\n", retcode, sss_strerror(retcode)); kerr = sss2krb5_error(retcode); @@ -405,8 +406,12 @@ static void kcm_cmd_request_done(struct tevent_req *req) &req_ctx->op_io.reply); talloc_free(req); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret)); + if (ret == ERR_KCM_OP_NOT_IMPLEMENTED) { + DEBUG(SSSDBG_MINOR_FAILURE, "%s\n", sss_strerror(ret)); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret)); + } kcm_reply_error(req_ctx->cctx, ret, &req_ctx->repbuf); return; } diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c index a8f49cedb..f7f80d850 100644 --- a/src/responder/kcm/kcmsrv_ops.c +++ b/src/responder/kcm/kcmsrv_ops.c @@ -122,7 +122,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, } if (op->fn_send == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, + DEBUG(SSSDBG_MINOR_FAILURE, "KCM op %s has no handler\n", kcm_opt_name(op)); ret = ERR_KCM_OP_NOT_IMPLEMENTED; goto immediate; -- 2.26.3 From 5ead448c859860a4eb57a529a5b85eca1815e73a Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 14 Jun 2021 22:04:21 +0200 Subject: [PATCH 4/4] KCM: reduce log severity in sec_get() in case entry not found MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Pavel Březina Reviewed-by: Sumit Bose --- src/responder/kcm/kcmsrv_ccache_secdb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c index 6c8c35b86..4631bfea0 100644 --- a/src/responder/kcm/kcmsrv_ccache_secdb.c +++ b/src/responder/kcm/kcmsrv_ccache_secdb.c @@ -58,7 +58,7 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, ret = sss_sec_get(tmp_ctx, req, &data, &len, &datatype); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); goto done; } -- 2.26.3