I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to 7.1) The ipa-client is installed, making this server an ipa host.
> getent passwd xxxx is successful for ipa users. -->OK However I cannot log on to the host with ipa users (direct or ssh). -->NOT OK When logged on as root (local user), I can “su -“ to my ipa user. -->OK "> systemctl status sssd" and "> kinit" both show: “Invalid UID in persistent keyring name while getting default cache.” Having googled with this error, I saw some indications that it could be related to the kernel. https://bugzilla.redhat.com/show_bug.cgi?id=1017683 https://bugzilla.redhat.com/show_bug.cgi?id=1029110 For a fresh OEL install, the default kernel is the uek version. "Aha" I thought, let’s change back to the standard RHEL kernel. After a reboot with the RHEL kernel, I was still not able to log in with my ipa user. I then logged on as root, and changed to my ipa user via su. > klist -l produced: KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) I therefore deleted the key: > kdestroy -A Then I stopped the sssd service, and cleared the cache in /var/lib/sss/db/, then restarted sssd After that I was now able to log on with my ipa user (both direct and via ssh). However I cannot get any other ipa users to logon to this host! --> NOT OK The same users can successfully logon to other ipa hosts in the same domain. My ipa user was the one used to enroll the host. Any ideas? sssd version = 1.12.2 58.el7_1.18 ipa-client version = 4.1.0 18.0.1.el7_1.4 kernels: Oracle Linux Server, with Unbreakable Enterprise Kernel 3.8.13-98.5.2.el7uek.x86_64 Oracle Linux Server, with Linux 3.10.0-229.20.1.el7.x86_64
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
