[Freeipa-users] How to enable krb5_child log

[Kees Bakker]

On 02-02-17 17:32, Jakub Hrozek wrote:
> On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote:
>> Hi
>>
>> Sorry, I did search wherever I could but I couldn't find it.
>> How do I enable krb5_child debug log? I'm on an Ubuntu
>> system which by default writes an empty /var/log/krb5_child.log
>>
>> Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What
>> do I have to add where to get logging in krb5_child.log?
> add debug_level= to the [domain] section.

OK. I've done that before with 0x3ff0 , but this time I used level 6
(which I read somewhere as being the old method). And now I see
output in krb5_child.log
Thanks

What's weird though. On another system I'm doing the exactly same.
Nothing is logged in krb5_child.log.

>
>> BTW. I'm trying to debug a problem that results in
>>   "Invalid UID in persistent keyring"
>> The weird thing is, if I become root (via another ssh login) and
>> then do a "su - user" (the same user with the error), the problem
>> does not show up. Meanwhile that user keeps getting the above
>> error (for klist kdestroy, klist).
> su as root gets automatically authenticated by the pam_rootok.so
> module..
>

Hmm.
I'm not sure if you understood what I was doing:

The "root" way
$ ssh root at xyz.example.com
# su - someuser
$ klist someuser
klist: Credentials cache keyring 'persistent:1013:1013' not found
$ kinit someuser
Password for someuser at EXAMPLE.COM:
The latter seems to be working (I can't finish because I don't have that
password).

Then, at the very same time user "someuser", on his own login, gets this:
$ klist
klist: Invalid UID in persistent keyring name while getting default ccache

One more thing I should mention. It may be of influence. The "someuser"
is a local user in /etc/passwd, _and_ it is a user in IPA, with different uid's.
Could that trigger the error?
-- 
Kees