[Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
Christopher Lamb
christopher.lamb at ch.ibm.com
Thu Nov 19 09:02:14 UTC 2015
Hi Jakub
I have restarted sssd with debug_level=6
Then I made one (failed) attempt to login via ssh with the user "bimbo".
Logs, anonymised are attached.
To my untrained eyes, nothing shouts "horrible error" to me.
Chris
(See attached file: sssd_logs.zip)
From: Jakub Hrozek <jhrozek at redhat.com>
To: freeipa-users at redhat.com
Date: 18.11.2015 19:30
Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name
while getting default cache. on OEL 7.1
Sent by: freeipa-users-bounces at redhat.com
On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote:
>
> I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to
7.1)
> The ipa-client is installed, making this server an ipa host.
>
>
>
> > getent passwd xxxx
>
> is successful for ipa users. -->OK
>
> However I cannot log on to the host with ipa users (direct or ssh). -->
NOT
>
> OK
>
>
>
> When logged on as root (local user), I can “su -“ to my ipa user. -->OK
>
>
>
> "> systemctl status sssd" and "> kinit"
>
> both show:
>
> “Invalid UID in persistent keyring name while getting default cache.”
>
>
>
> Having googled with this error, I saw some indications that it could be
>
> related to the kernel.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1017683
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1029110
>
>
>
> For a fresh OEL install, the default kernel is the uek version. "Aha" I
>
> thought, let’s change back to the standard RHEL kernel.
>
> After a reboot with the RHEL kernel, I was still not able to log in with
my
>
> ipa user.
>
>
>
> I then logged on as root, and changed to my ipa user via su.
>
> > klist -l
>
> produced:
>
> KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired)
I'm surprised you had any ccache at all, because login as root bypasses
PAM.
But in general, if you login with sssd and the cache is expired a long
time ago (1970), that means sssd logged you in offline and the ccache is
a placeholder for when sssd switches to online mode.
>
>
>
> I therefore deleted the key:
>
> > kdestroy -A
>
> Then I stopped the sssd service, and cleared the cache
in /var/lib/sss/db/,
>
> then restarted sssd
>
>
>
> After that I was now able to log on with my ipa user (both direct and via
>
> ssh).
>
>
>
> However I cannot get any other ipa users to logon to this host! --> NOT
OK
>
> The same users can successfully logon to other ipa hosts in the same
>
> domain.
>
>
>
> My ipa user was the one used to enroll the host.
>
>
>
> Any ideas?
Not without logs, see:
https://fedorahosted.org/sssd/wiki/Troubleshooting
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151119/78593f8e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151119/78593f8e/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sssd_logs.zip
Type: application/zip
Size: 13502 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151119/78593f8e/attachment.zip>
More information about the Freeipa-users
mailing list