[Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1

Jakub Hrozek jhrozek at redhat.com
Wed Nov 18 18:28:27 UTC 2015 

On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote:
> 
> I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to 7.1)
> The ipa-client is installed, making this server an ipa host.
> 
> 
> 
> > getent passwd xxxx
> 
> is successful for ipa users.  -->OK
> 
> However I cannot log on to the host with ipa users (direct or ssh). -->NOT
> 
> OK
> 
> 
> 
> When logged on as root (local user), I can “su -“ to my ipa user. -->OK
> 
> 
> 
> "> systemctl status sssd" and "> kinit"
> 
> both show:
> 
> “Invalid UID in persistent keyring name while getting default cache.”
> 
> 
> 
> Having googled with this error, I saw some indications that it could be
> 
> related to the kernel.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1017683
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1029110
> 
> 
> 
> For a fresh OEL install, the default kernel is the uek version. "Aha" I
> 
> thought, let’s change back to the standard RHEL kernel.
> 
> After a reboot with the RHEL kernel, I was still not able to log in with my
> 
> ipa user.
> 
> 
> 
> I then logged on as root, and changed to my ipa user via su.
> 
> > klist -l
> 
> produced:
> 
> KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired)

I'm surprised you had any ccache at all, because login as root bypasses
PAM.

But in general, if you login with sssd and the cache is expired a long
time ago (1970), that means sssd logged you in offline and the ccache is
a placeholder for when sssd switches to online mode.

> 
> 
> 
> I therefore deleted the key:
> 
> > kdestroy -A
> 
> Then I stopped the sssd service, and cleared the cache in /var/lib/sss/db/,
> 
> then restarted sssd
> 
> 
> 
> After that I was now able to log on with my ipa user (both direct and via
> 
> ssh).
> 
> 
> 
> However I cannot get any other ipa users to logon to this host!  --> NOT OK
> 
> The same users can successfully logon to other ipa hosts in the same
> 
> domain.
> 
> 
> 
> My ipa user was the one used to enroll the host.
> 
> 
> 
> Any ideas?

Not without logs, see:
    https://fedorahosted.org/sssd/wiki/Troubleshooting

More information about the Freeipa-users mailing list