On Thu, Nov 19, 2015 at 11:28:10AM +0100, Christopher Lamb wrote: > Now it works: > > First I edited /etc/login.defs UID_MIN to 500 > > Then I ran "authconfig --update" to make the change(s) to login.defs > active.
yes, it is expected that you have to run authconfig after changing the value in login.defs to update the pam configuration. bye, Sumit > > After that, users with uids >=500 were able to login again. > > In our case we have both system users (application) and "long term > employees, user account predates LDAP" with such low ids. > > Chris > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: Sumit Bose <[email protected]> > Cc: [email protected] > Date: 19.11.2015 11:20 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > while getting default cache. on OEL 7.1 > Sent by: [email protected] > > > > Hi Sumit > > Thanks, I too have found /etc/login.defs > > https://fedoraproject.org/wiki/Features/1000SystemAccounts > > I have changed the UID_MIN to 500, and rebooted, but it seems to have no > effect. > > Reading between the lines in the link above, it looks like this value may > have to be set pre-install. > > Maybe I need to do something else to change the value? > > Chris > > > > > > Inactive hide details for Sumit Bose ---19.11.2015 10:38:49---On Thu, Nov > 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:Sumit Bose > ---19.11.2015 10:38:49---On Thu, Nov 19, 2015 at 10:25:02AM +0100, > Christopher Lamb wrote: > HI > > From: Sumit Bose <[email protected]> > To: Christopher Lamb/Switzerland/IBM@IBMCH > Cc: Jakub Hrozek <[email protected]>, [email protected] > Date: 19.11.2015 10:38 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while > getting default cache. on OEL 7.1 > > > > On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > > HI > > > > The plot thickens. I think I actually have 2 issues: > > > > The first issue is that in the title of this thread, and was caused by > "the > > wrong kernel". > > > > The second issue, that some ipa users cannot log on (but mine can), is > > (probably) unrelated. > > > > The clue was my point below "no obvious horrible error". > > > > That led my to look in /var/log/secure, where I found the following: > > > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=xxxxxx.my-domain.xx.domain.com user=bimbo > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): > > requirement "uid >= 1000" not met by user "bimbo" > > Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from > > 9.164.17.110 port 49332 ssh2 > > > > Both my user, and an additional test user this morning have uids > 1000, > > and can successfully login -->OK > > > > The 2 other users I tested with yesterday (one application user, and one > > real user) have ids < 1000, and therefore (on this host) cannot logon. > > > > Now I need to google further to find where this rule is configured / > > hidden. > > The '1000' is written by authconfig into the pam configuration. Afaik > authconfig uses the UID_MIN form /etc/login.defs here. > > HTH > > bye, > Sumit > > > > > Cheers > > > > Chris > > > > > > > > > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > > To: Jakub Hrozek <[email protected]> > > Cc: [email protected] > > Date: 19.11.2015 10:05 > > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > > while getting default cache. on OEL 7.1 > > Sent by: [email protected] > > > > > > > > Hi Jakub > > > > I have restarted sssd with debug_level=6 > > > > Then I made one (failed) attempt to login via ssh with the user "bimbo". > > > > Logs, anonymised are attached. > > > > To my untrained eyes, nothing shouts "horrible error" to me. > > > > Chris > > > > (See attached file: sssd_logs.zip) > > > > > > Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, > Nov > > 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek > > ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, > > Christopher Lamb wrote: > > > > > From: Jakub Hrozek <[email protected]> > > To: [email protected] > > Date: 18.11.2015 19:30 > > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while > > getting default cache. on OEL 7.1 > > Sent by: [email protected] > > > > > > > > On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > > > > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to > > 7.1) > > > The ipa-client is installed, making this server an ipa host. > > > > > > > > > > > > > getent passwd xxxx > > > > > > is successful for ipa users. -->OK > > > > > > However I cannot log on to the host with ipa users (direct or ssh). --> > > NOT > > > > > > OK > > > > > > > > > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > > > > > > > > > "> systemctl status sssd" and "> kinit" > > > > > > both show: > > > > > > “Invalid UID in persistent keyring name while getting default cache.” > > > > > > > > > > > > Having googled with this error, I saw some indications that it could be > > > > > > related to the kernel. > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1017683 > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1029110 > > > > > > > > > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > > > > > thought, let’s change back to the standard RHEL kernel. > > > > > > After a reboot with the RHEL kernel, I was still not able to log in > with > > my > > > > > > ipa user. > > > > > > > > > > > > I then logged on as root, and changed to my ipa user via su. > > > > > > > klist -l > > > > > > produced: > > > > > > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) > > > > I'm surprised you had any ccache at all, because login as root bypasses > > PAM. > > > > But in general, if you login with sssd and the cache is expired a long > > time ago (1970), that means sssd logged you in offline and the ccache is > > a placeholder for when sssd switches to online mode. > > > > > > > > > > > > > > I therefore deleted the key: > > > > > > > kdestroy -A > > > > > > Then I stopped the sssd service, and cleared the cache > > in /var/lib/sss/db/, > > > > > > then restarted sssd > > > > > > > > > > > > After that I was now able to log on with my ipa user (both direct and > via > > > > > > ssh). > > > > > > > > > > > > However I cannot get any other ipa users to logon to this host! --> > NOT > > OK > > > > > > The same users can successfully logon to other ipa hosts in the same > > > > > > domain. > > > > > > > > > > > > My ipa user was the one used to enroll the host. > > > > > > > > > > > > Any ideas? > > > > Not without logs, see: > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > [attachment "sssd_logs.zip" deleted by Christopher Lamb/Switzerland/IBM] > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
