<html><body>Now it works: First I edited /etc/login.defs UID_MIN to 500 Then I ran "authconfig --update" to make the change(s) to login.defs active. After that, users with uids >=500 were able to login again. In our case we have both system users (application) and "long term employees, user account predates LDAP" with such low ids. Chris <img width="16" height="16" src="cid:1__=8FBBF591DFAAA91D8f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for Christopher Lamb---19.11.2015 11:20:51---Hi Sumit Thanks, I too have found /etc/login.defs">Christopher Lamb---19.11.2015 11:20:51---Hi Sumit Thanks, I too have found /etc/login.defs From: Christopher Lamb/Switzerland/IBM@IBMCH To: Sumit Bose <sbose@redhat.com> Cc: freeipa-users@redhat.com Date: 19.11.2015 11:20 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 Sent by: freeipa-users-bounces@redhat.com <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> Hi Sumit Thanks, I too have found /etc/login.defs <a href="https://fedoraproject.org/wiki/Features/1000SystemAccounts">https://fedoraproject.org/wiki/Features/1000SystemAccounts</a> I have changed the UID_MIN to 500, and rebooted, but it seems to have no effect. Reading between the lines in the link above, it looks like this value may have to be set pre-install. Maybe I need to do something else to change the value? Chris <img src="cid:1__=8FBBF591DFAAA91D8f9e8a93df938690918c8FB@" width="16" height="16" alt="Inactive hide details for Sumit Bose ---19.11.2015 10:38:49---On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:">Sumit Bose ---19.11.2015 10:38:49---On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI From: Sumit Bose <sbose@redhat.com> To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Jakub Hrozek <jhrozek@redhat.com>, freeipa-users@redhat.com Date: 19.11.2015 10:38 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 <hr width="100%" size="2" align="left" noshade> <tt> On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI > > The plot thickens. I think I actually have 2 issues: > > The first issue is that in the title of this thread, and was caused by "the > wrong kernel". > > The second issue, that some ipa users cannot log on (but mine can), is > (probably) unrelated. > > The clue was my point below "no obvious horrible error". > > That led my to look in /var/log/secure, where I found the following: > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=xxxxxx.my-domain.xx.domain.com user=bimbo > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): > requirement "uid >= 1000" not met by user "bimbo" > Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from > 9.164.17.110 port 49332 ssh2 > > Both my user, and an additional test user this morning have uids > 1000, > and can successfully login -->OK > > The 2 other users I tested with yesterday (one application user, and one > real user) have ids < 1000, and therefore (on this host) cannot logon. > > Now I need to google further to find where this rule is configured / > hidden. The '1000' is written by authconfig into the pam configuration. Afaik authconfig uses the UID_MIN form /etc/login.defs here. HTH bye, Sumit > > Cheers > > Chris > > > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: Jakub Hrozek <jhrozek@redhat.com> > Cc: freeipa-users@redhat.com > Date: 19.11.2015 10:05 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > while getting default cache. on OEL 7.1 > Sent by: freeipa-users-bounces@redhat.com > > > > Hi Jakub > > I have restarted sssd with debug_level=6 > > Then I made one (failed) attempt to login via ssh with the user "bimbo". > > Logs, anonymised are attached. > > To my untrained eyes, nothing shouts "horrible error" to me. > > Chris > > (See attached file: sssd_logs.zip) > > > Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov > 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek > ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, > Christopher Lamb wrote: > > > From: Jakub Hrozek <jhrozek@redhat.com> > To: freeipa-users@redhat.com > Date: 18.11.2015 19:30 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while > getting default cache. on OEL 7.1 > Sent by: freeipa-users-bounces@redhat.com > > > > On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to > 7.1) > > The ipa-client is installed, making this server an ipa host. > > > > > > > > > getent passwd xxxx > > > > is successful for ipa users. -->OK > > > > However I cannot log on to the host with ipa users (direct or ssh). --> > NOT > > > > OK > > > > > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > > > > > "> systemctl status sssd" and "> kinit" > > > > both show: > > > > “Invalid UID in persistent keyring name while getting default cache.” > > > > > > > > Having googled with this error, I saw some indications that it could be > > > > related to the kernel. > > > > </tt><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1017683"><tt>https://bugzilla.redhat.com/show_bug.cgi?id=1017683</tt></a><tt> > > > > </tt><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1029110"><tt>https://bugzilla.redhat.com/show_bug.cgi?id=1029110</tt></a><tt> > > > > > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > > > thought, let’s change back to the standard RHEL kernel. > > > > After a reboot with the RHEL kernel, I was still not able to log in with > my > > > > ipa user. > > > > > > > > I then logged on as root, and changed to my ipa user via su. > > > > > klist -l > > > > produced: > > > > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) > > I'm surprised you had any ccache at all, because login as root bypasses > PAM. > > But in general, if you login with sssd and the cache is expired a long > time ago (1970), that means sssd logged you in offline and the ccache is > a placeholder for when sssd switches to online mode. > > > > > > > > > I therefore deleted the key: > > > > > kdestroy -A > > > > Then I stopped the sssd service, and cleared the cache > in /var/lib/sss/db/, > > > > then restarted sssd > > > > > > > > After that I was now able to log on with my ipa user (both direct and via > > > > ssh). > > > > > > > > However I cannot get any other ipa users to logon to this host! --> NOT > OK > > > > The same users can successfully logon to other ipa hosts in the same > > > > domain. > > > > > > > > My ipa user was the one used to enroll the host. > > > > > > > > Any ideas? > > Not without logs, see: > </tt><a href="https://fedorahosted.org/sssd/wiki/Troubleshooting"><tt>https://fedorahosted.org/sssd/wiki/Troubleshooting</tt></a><tt> > > -- > Manage your subscription for the Freeipa-users mailing list: > </tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a><tt> > Go to </tt><a href="http://freeipa.org/"><tt>http://freeipa.org</tt></a><tt> for more info on the project > > [attachment "sssd_logs.zip" deleted by Christopher Lamb/Switzerland/IBM] -- > > Manage your subscription for the Freeipa-users mailing list: > </tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a><tt> > Go to </tt><a href="http://freeipa.org/"><tt>http://freeipa.org</tt></a><tt> for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > </tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a><tt> > Go to </tt><a href="http://freeipa.org/"><tt>http://freeipa.org</tt></a><tt> for more info on the project </tt> <tt>-- Manage your subscription for the Freeipa-users mailing list: </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project</tt> </body></html>