[Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
Sumit Bose
sbose at redhat.com
Thu Nov 19 09:38:38 UTC 2015
On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:
> HI
>
> The plot thickens. I think I actually have 2 issues:
>
> The first issue is that in the title of this thread, and was caused by "the
> wrong kernel".
>
> The second issue, that some ipa users cannot log on (but mine can), is
> (probably) unrelated.
>
> The clue was my point below "no obvious horrible error".
>
> That led my to look in /var/log/secure, where I found the following:
>
> Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=xxxxxx.my-domain.xx.domain.com user=bimbo
> Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth):
> requirement "uid >= 1000" not met by user "bimbo"
> Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from
> 9.164.17.110 port 49332 ssh2
>
> Both my user, and an additional test user this morning have uids > 1000,
> and can successfully login -->OK
>
> The 2 other users I tested with yesterday (one application user, and one
> real user) have ids < 1000, and therefore (on this host) cannot logon.
>
> Now I need to google further to find where this rule is configured /
> hidden.
The '1000' is written by authconfig into the pam configuration. Afaik
authconfig uses the UID_MIN form /etc/login.defs here.
HTH
bye,
Sumit
>
> Cheers
>
> Chris
>
>
>
>
>
> From: Christopher Lamb/Switzerland/IBM at IBMCH
> To: Jakub Hrozek <jhrozek at redhat.com>
> Cc: freeipa-users at redhat.com
> Date: 19.11.2015 10:05
> Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name
> while getting default cache. on OEL 7.1
> Sent by: freeipa-users-bounces at redhat.com
>
>
>
> Hi Jakub
>
> I have restarted sssd with debug_level=6
>
> Then I made one (failed) attempt to login via ssh with the user "bimbo".
>
> Logs, anonymised are attached.
>
> To my untrained eyes, nothing shouts "horrible error" to me.
>
> Chris
>
> (See attached file: sssd_logs.zip)
>
>
> Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov
> 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek
> ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100,
> Christopher Lamb wrote: >
>
> From: Jakub Hrozek <jhrozek at redhat.com>
> To: freeipa-users at redhat.com
> Date: 18.11.2015 19:30
> Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while
> getting default cache. on OEL 7.1
> Sent by: freeipa-users-bounces at redhat.com
>
>
>
> On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote:
> >
> > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to
> 7.1)
> > The ipa-client is installed, making this server an ipa host.
> >
> >
> >
> > > getent passwd xxxx
> >
> > is successful for ipa users. -->OK
> >
> > However I cannot log on to the host with ipa users (direct or ssh). -->
> NOT
> >
> > OK
> >
> >
> >
> > When logged on as root (local user), I can “su -“ to my ipa user. -->OK
> >
> >
> >
> > "> systemctl status sssd" and "> kinit"
> >
> > both show:
> >
> > “Invalid UID in persistent keyring name while getting default cache.”
> >
> >
> >
> > Having googled with this error, I saw some indications that it could be
> >
> > related to the kernel.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1017683
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1029110
> >
> >
> >
> > For a fresh OEL install, the default kernel is the uek version. "Aha" I
> >
> > thought, let’s change back to the standard RHEL kernel.
> >
> > After a reboot with the RHEL kernel, I was still not able to log in with
> my
> >
> > ipa user.
> >
> >
> >
> > I then logged on as root, and changed to my ipa user via su.
> >
> > > klist -l
> >
> > produced:
> >
> > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired)
>
> I'm surprised you had any ccache at all, because login as root bypasses
> PAM.
>
> But in general, if you login with sssd and the cache is expired a long
> time ago (1970), that means sssd logged you in offline and the ccache is
> a placeholder for when sssd switches to online mode.
>
> >
> >
> >
> > I therefore deleted the key:
> >
> > > kdestroy -A
> >
> > Then I stopped the sssd service, and cleared the cache
> in /var/lib/sss/db/,
> >
> > then restarted sssd
> >
> >
> >
> > After that I was now able to log on with my ipa user (both direct and via
> >
> > ssh).
> >
> >
> >
> > However I cannot get any other ipa users to logon to this host! --> NOT
> OK
> >
> > The same users can successfully logon to other ipa hosts in the same
> >
> > domain.
> >
> >
> >
> > My ipa user was the one used to enroll the host.
> >
> >
> >
> > Any ideas?
>
> Not without logs, see:
> https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
> [attachment "sssd_logs.zip" deleted by Christopher Lamb/Switzerland/IBM] --
>
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list