[Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1

Sumit Bose sbose at redhat.com
Thu Nov 19 09:38:38 UTC 2015 

On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:
> HI
> 
> The plot thickens. I think I actually have 2 issues:
> 
> The first issue is that in the title of this thread, and was caused by "the
> wrong kernel".
> 
> The second issue, that some ipa users cannot log on (but mine can), is
> (probably) unrelated.
> 
> The clue was my point below "no obvious horrible error".
> 
> That led my to look in /var/log/secure, where I found the following:
> 
> Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=xxxxxx.my-domain.xx.domain.com  user=bimbo
> Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth):
> requirement "uid >= 1000" not met by user "bimbo"
> Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from
> 9.164.17.110 port 49332 ssh2
> 
> Both my user, and an additional test user this morning have uids > 1000,
> and can successfully login -->OK
> 
> The 2 other users I tested with yesterday (one application user, and one
> real user) have ids < 1000, and therefore (on this host) cannot logon.
> 
> Now I need to google further to find where this rule is configured /
> hidden.

The '1000' is written by authconfig into the pam configuration. Afaik
authconfig uses the UID_MIN form /etc/login.defs here.

HTH

bye,
Sumit

> 
> Cheers
> 
> Chris
> 
> 
> 
> 
> 
> From:	Christopher Lamb/Switzerland/IBM at IBMCH
> To:	Jakub Hrozek <jhrozek at redhat.com>
> Cc:	freeipa-users at redhat.com
> Date:	19.11.2015 10:05
> Subject:	Re: [Freeipa-users] Invalid UID in persistent keyring name
>             while getting default cache. on OEL 7.1
> Sent by:	freeipa-users-bounces at redhat.com
> 
> 
> 
> Hi Jakub
> 
> I have restarted sssd with debug_level=6
> 
> Then I made one (failed) attempt to login via ssh with the user "bimbo".
> 
> Logs, anonymised are attached.
> 
> To my untrained eyes, nothing shouts "horrible error" to me.
> 
> Chris
> 
> (See attached file: sssd_logs.zip)
> 
> 
> Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov
> 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek
> ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100,
> Christopher Lamb wrote: >
> 
> From: Jakub Hrozek <jhrozek at redhat.com>
> To: freeipa-users at redhat.com
> Date: 18.11.2015 19:30
> Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while
> getting default cache. on OEL 7.1
> Sent by: freeipa-users-bounces at redhat.com
> 
> 
> 
> On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote:
> >
> > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to
> 7.1)
> > The ipa-client is installed, making this server an ipa host.
> >
> >
> >
> > > getent passwd xxxx
> >
> > is successful for ipa users.  -->OK
> >
> > However I cannot log on to the host with ipa users (direct or ssh). -->
> NOT
> >
> > OK
> >
> >
> >
> > When logged on as root (local user), I can “su -“ to my ipa user. -->OK
> >
> >
> >
> > "> systemctl status sssd" and "> kinit"
> >
> > both show:
> >
> > “Invalid UID in persistent keyring name while getting default cache.”
> >
> >
> >
> > Having googled with this error, I saw some indications that it could be
> >
> > related to the kernel.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1017683
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1029110
> >
> >
> >
> > For a fresh OEL install, the default kernel is the uek version. "Aha" I
> >
> > thought, let’s change back to the standard RHEL kernel.
> >
> > After a reboot with the RHEL kernel, I was still not able to log in with
> my
> >
> > ipa user.
> >
> >
> >
> > I then logged on as root, and changed to my ipa user via su.
> >
> > > klist -l
> >
> > produced:
> >
> > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired)
> 
> I'm surprised you had any ccache at all, because login as root bypasses
> PAM.
> 
> But in general, if you login with sssd and the cache is expired a long
> time ago (1970), that means sssd logged you in offline and the ccache is
> a placeholder for when sssd switches to online mode.
> 
> >
> >
> >
> > I therefore deleted the key:
> >
> > > kdestroy -A
> >
> > Then I stopped the sssd service, and cleared the cache
> in /var/lib/sss/db/,
> >
> > then restarted sssd
> >
> >
> >
> > After that I was now able to log on with my ipa user (both direct and via
> >
> > ssh).
> >
> >
> >
> > However I cannot get any other ipa users to logon to this host!  --> NOT
> OK
> >
> > The same users can successfully logon to other ipa hosts in the same
> >
> > domain.
> >
> >
> >
> > My ipa user was the one used to enroll the host.
> >
> >
> >
> > Any ideas?
> 
> Not without logs, see:
>    https://fedorahosted.org/sssd/wiki/Troubleshooting
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 
> [attachment "sssd_logs.zip" deleted by Christopher Lamb/Switzerland/IBM] --
> 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 



> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list