On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI > > The plot thickens. I think I actually have 2 issues: > > The first issue is that in the title of this thread, and was caused by "the > wrong kernel". > > The second issue, that some ipa users cannot log on (but mine can), is > (probably) unrelated. > > The clue was my point below "no obvious horrible error". > > That led my to look in /var/log/secure, where I found the following: > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=xxxxxx.my-domain.xx.domain.com user=bimbo > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): > requirement "uid >= 1000" not met by user "bimbo" > Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from > 9.164.17.110 port 49332 ssh2 > > Both my user, and an additional test user this morning have uids > 1000, > and can successfully login -->OK > > The 2 other users I tested with yesterday (one application user, and one > real user) have ids < 1000, and therefore (on this host) cannot logon. > > Now I need to google further to find where this rule is configured / > hidden.
The '1000' is written by authconfig into the pam configuration. Afaik authconfig uses the UID_MIN form /etc/login.defs here. HTH bye, Sumit > > Cheers > > Chris > > > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: Jakub Hrozek <[email protected]> > Cc: [email protected] > Date: 19.11.2015 10:05 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > while getting default cache. on OEL 7.1 > Sent by: [email protected] > > > > Hi Jakub > > I have restarted sssd with debug_level=6 > > Then I made one (failed) attempt to login via ssh with the user "bimbo". > > Logs, anonymised are attached. > > To my untrained eyes, nothing shouts "horrible error" to me. > > Chris > > (See attached file: sssd_logs.zip) > > > Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov > 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek > ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, > Christopher Lamb wrote: > > > From: Jakub Hrozek <[email protected]> > To: [email protected] > Date: 18.11.2015 19:30 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while > getting default cache. on OEL 7.1 > Sent by: [email protected] > > > > On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to > 7.1) > > The ipa-client is installed, making this server an ipa host. > > > > > > > > > getent passwd xxxx > > > > is successful for ipa users. -->OK > > > > However I cannot log on to the host with ipa users (direct or ssh). --> > NOT > > > > OK > > > > > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > > > > > "> systemctl status sssd" and "> kinit" > > > > both show: > > > > “Invalid UID in persistent keyring name while getting default cache.” > > > > > > > > Having googled with this error, I saw some indications that it could be > > > > related to the kernel. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1017683 > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1029110 > > > > > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > > > thought, let’s change back to the standard RHEL kernel. > > > > After a reboot with the RHEL kernel, I was still not able to log in with > my > > > > ipa user. > > > > > > > > I then logged on as root, and changed to my ipa user via su. > > > > > klist -l > > > > produced: > > > > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) > > I'm surprised you had any ccache at all, because login as root bypasses > PAM. > > But in general, if you login with sssd and the cache is expired a long > time ago (1970), that means sssd logged you in offline and the ccache is > a placeholder for when sssd switches to online mode. > > > > > > > > > I therefore deleted the key: > > > > > kdestroy -A > > > > Then I stopped the sssd service, and cleared the cache > in /var/lib/sss/db/, > > > > then restarted sssd > > > > > > > > After that I was now able to log on with my ipa user (both direct and via > > > > ssh). > > > > > > > > However I cannot get any other ipa users to logon to this host! --> NOT > OK > > > > The same users can successfully logon to other ipa hosts in the same > > > > domain. > > > > > > > > My ipa user was the one used to enroll the host. > > > > > > > > Any ideas? > > Not without logs, see: > https://fedorahosted.org/sssd/wiki/Troubleshooting > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > [attachment "sssd_logs.zip" deleted by Christopher Lamb/Switzerland/IBM] -- > > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
