<html><body>Hi Jakub I have restarted sssd with debug_level=6 Then I made one (failed) attempt to login via ssh with the user "bimbo". Logs, anonymised are attached. To my untrained eyes, nothing shouts "horrible error" to me. Chris (See attached file: sssd_logs.zip) <img width="16" height="16" src="cid:2__=8FBBF591DFA2DFDF8f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrot">Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > From: Jakub Hrozek <jhrozek@redhat.com> To: freeipa-users@redhat.com Date: 18.11.2015 19:30 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 Sent by: freeipa-users-bounces@redhat.com <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> <tt>On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to 7.1) > The ipa-client is installed, making this server an ipa host. > > > > > getent passwd xxxx > > is successful for ipa users. -->OK > > However I cannot log on to the host with ipa users (direct or ssh). -->NOT > > OK > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > "> systemctl status sssd" and "> kinit" > > both show: > > “Invalid UID in persistent keyring name while getting default cache.” > > > > Having googled with this error, I saw some indications that it could be > > related to the kernel. > > </tt><tt><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1017683">https://bugzilla.redhat.com/show_bug.cgi?id=1017683</a></tt><tt> > > </tt><tt><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1029110">https://bugzilla.redhat.com/show_bug.cgi?id=1029110</a></tt><tt> > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > thought, let’s change back to the standard RHEL kernel. > > After a reboot with the RHEL kernel, I was still not able to log in with my > > ipa user. > > > > I then logged on as root, and changed to my ipa user via su. > > > klist -l > > produced: > > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) I'm surprised you had any ccache at all, because login as root bypasses PAM. But in general, if you login with sssd and the cache is expired a long time ago (1970), that means sssd logged you in offline and the ccache is a placeholder for when sssd switches to online mode. > > > > I therefore deleted the key: > > > kdestroy -A > > Then I stopped the sssd service, and cleared the cache in /var/lib/sss/db/, > > then restarted sssd > > > > After that I was now able to log on with my ipa user (both direct and via > > ssh). > > > > However I cannot get any other ipa users to logon to this host! --> NOT OK > > The same users can successfully logon to other ipa hosts in the same > > domain. > > > > My ipa user was the one used to enroll the host. > > > > Any ideas? Not without logs, see: </tt><tt><a href="https://fedorahosted.org/sssd/wiki/Troubleshooting">https://fedorahosted.org/sssd/wiki/Troubleshooting</a></tt><tt> -- Manage your subscription for the Freeipa-users mailing list: </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project</tt> </body></html>