[Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1

Christopher Lamb christopher.lamb at ch.ibm.com
Thu Nov 19 10:17:48 UTC 2015 

Hi Sumit

Thanks, I too have found /etc/login.defs

https://fedoraproject.org/wiki/Features/1000SystemAccounts

I have changed the UID_MIN to 500, and rebooted, but it seems to have no
effect.

Reading between the lines in the link above, it looks like this value may
have to be set pre-install.

Maybe I need to do something else to change the value?

Chris







From:	Sumit Bose <sbose at redhat.com>
To:	Christopher Lamb/Switzerland/IBM at IBMCH
Cc:	Jakub Hrozek <jhrozek at redhat.com>, freeipa-users at redhat.com
Date:	19.11.2015 10:38
Subject:	Re: [Freeipa-users] Invalid UID in persistent keyring name
            while getting default cache. on OEL 7.1



On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:
> HI
>
> The plot thickens. I think I actually have 2 issues:
>
> The first issue is that in the title of this thread, and was caused by
"the
> wrong kernel".
>
> The second issue, that some ipa users cannot log on (but mine can), is
> (probably) unrelated.
>
> The clue was my point below "no obvious horrible error".
>
> That led my to look in /var/log/secure, where I found the following:
>
> Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth):
authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=xxxxxx.my-domain.xx.domain.com  user=bimbo
> Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth):
> requirement "uid >= 1000" not met by user "bimbo"
> Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from
> 9.164.17.110 port 49332 ssh2
>
> Both my user, and an additional test user this morning have uids > 1000,
> and can successfully login -->OK
>
> The 2 other users I tested with yesterday (one application user, and one
> real user) have ids < 1000, and therefore (on this host) cannot logon.
>
> Now I need to google further to find where this rule is configured /
> hidden.

The '1000' is written by authconfig into the pam configuration. Afaik
authconfig uses the UID_MIN form /etc/login.defs here.

HTH

bye,
Sumit

>
> Cheers
>
> Chris
>
>
>
>
>
> From:		 Christopher Lamb/Switzerland/IBM at IBMCH
> To:		 Jakub Hrozek <jhrozek at redhat.com>
> Cc:		 freeipa-users at redhat.com
> Date:		 19.11.2015 10:05
> Subject:		 Re: [Freeipa-users] Invalid UID in persistent keyring
name
>             while getting default cache. on OEL 7.1
> Sent by:		 freeipa-users-bounces at redhat.com
>
>
>
> Hi Jakub
>
> I have restarted sssd with debug_level=6
>
> Then I made one (failed) attempt to login via ssh with the user "bimbo".
>
> Logs, anonymised are attached.
>
> To my untrained eyes, nothing shouts "horrible error" to me.
>
> Chris
>
> (See attached file: sssd_logs.zip)
>
>
> Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed,
Nov
> 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek
> ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100,
> Christopher Lamb wrote: >
>
> From: Jakub Hrozek <jhrozek at redhat.com>
> To: freeipa-users at redhat.com
> Date: 18.11.2015 19:30
> Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while
> getting default cache. on OEL 7.1
> Sent by: freeipa-users-bounces at redhat.com
>
>
>
> On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote:
> >
> > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to
> 7.1)
> > The ipa-client is installed, making this server an ipa host.
> >
> >
> >
> > > getent passwd xxxx
> >
> > is successful for ipa users.  -->OK
> >
> > However I cannot log on to the host with ipa users (direct or ssh). -->
> NOT
> >
> > OK
> >
> >
> >
> > When logged on as root (local user), I can “su -“ to my ipa user. -->OK
> >
> >
> >
> > "> systemctl status sssd" and "> kinit"
> >
> > both show:
> >
> > “Invalid UID in persistent keyring name while getting default cache.”
> >
> >
> >
> > Having googled with this error, I saw some indications that it could be
> >
> > related to the kernel.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1017683
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1029110
> >
> >
> >
> > For a fresh OEL install, the default kernel is the uek version. "Aha" I
> >
> > thought, let’s change back to the standard RHEL kernel.
> >
> > After a reboot with the RHEL kernel, I was still not able to log in
with
> my
> >
> > ipa user.
> >
> >
> >
> > I then logged on as root, and changed to my ipa user via su.
> >
> > > klist -l
> >
> > produced:
> >
> > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired)
>
> I'm surprised you had any ccache at all, because login as root bypasses
> PAM.
>
> But in general, if you login with sssd and the cache is expired a long
> time ago (1970), that means sssd logged you in offline and the ccache is
> a placeholder for when sssd switches to online mode.
>
> >
> >
> >
> > I therefore deleted the key:
> >
> > > kdestroy -A
> >
> > Then I stopped the sssd service, and cleared the cache
> in /var/lib/sss/db/,
> >
> > then restarted sssd
> >
> >
> >
> > After that I was now able to log on with my ipa user (both direct and
via
> >
> > ssh).
> >
> >
> >
> > However I cannot get any other ipa users to logon to this host!  -->
NOT
> OK
> >
> > The same users can successfully logon to other ipa hosts in the same
> >
> > domain.
> >
> >
> >
> > My ipa user was the one used to enroll the host.
> >
> >
> >
> > Any ideas?
>
> Not without logs, see:
>    https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
> [attachment "sssd_logs.zip" deleted by Christopher Lamb/Switzerland/IBM]
--
>
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151119/bc7fe96b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151119/bc7fe96b/attachment.gif>

More information about the Freeipa-users mailing list