<html><body>HI The plot thickens. I think I actually have 2 issues: The first issue is that in the title of this thread, and was caused by "the wrong kernel". The second issue, that some ipa users cannot log on (but mine can), is (probably) unrelated. The clue was my point below "no obvious horrible error". That led my to look in /var/log/secure, where I found the following: Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxx.my-domain.xx.domain.com user=bimbo Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "bimbo" Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from 9.164.17.110 port 49332 ssh2 Both my user, and an additional test user this morning have uids > 1000, and can successfully login -->OK The 2 other users I tested with yesterday (one application user, and one real user) have ids < 1000, and therefore (on this host) cannot logon. Now I need to google further to find where this rule is configured / hidden. Cheers Chris <img width="16" height="16" src="cid:1__=8FBBF591DFA082448f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for Christopher Lamb---19.11.2015 10:05:23---Hi Jakub I have restarted sssd with debug_level=6">Christopher Lamb---19.11.2015 10:05:23---Hi Jakub I have restarted sssd with debug_level=6 From: Christopher Lamb/Switzerland/IBM@IBMCH To: Jakub Hrozek <jhrozek@redhat.com> Cc: freeipa-users@redhat.com Date: 19.11.2015 10:05 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 Sent by: freeipa-users-bounces@redhat.com <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> Hi Jakub I have restarted sssd with debug_level=6 Then I made one (failed) attempt to login via ssh with the user "bimbo". Logs, anonymised are attached. To my untrained eyes, nothing shouts "horrible error" to me. Chris (See attached file: sssd_logs.zip) <img src="cid:1__=8FBBF591DFA082448f9e8a93df938690918c8FB@" width="16" height="16" alt="Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrot">Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > From: Jakub Hrozek <jhrozek@redhat.com> To: freeipa-users@redhat.com Date: 18.11.2015 19:30 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 Sent by: freeipa-users-bounces@redhat.com <hr width="100%" size="2" align="left" noshade> <tt> On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to 7.1) > The ipa-client is installed, making this server an ipa host. > > > > > getent passwd xxxx > > is successful for ipa users. -->OK > > However I cannot log on to the host with ipa users (direct or ssh). -->NOT > > OK > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > "> systemctl status sssd" and "> kinit" > > both show: > > “Invalid UID in persistent keyring name while getting default cache.” > > > > Having googled with this error, I saw some indications that it could be > > related to the kernel. > > </tt><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1017683"><tt>https://bugzilla.redhat.com/show_bug.cgi?id=1017683</tt></a><tt> > > </tt><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1029110"><tt>https://bugzilla.redhat.com/show_bug.cgi?id=1029110</tt></a><tt> > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > thought, let’s change back to the standard RHEL kernel. > > After a reboot with the RHEL kernel, I was still not able to log in with my > > ipa user. > > > > I then logged on as root, and changed to my ipa user via su. > > > klist -l > > produced: > > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) I'm surprised you had any ccache at all, because login as root bypasses PAM. But in general, if you login with sssd and the cache is expired a long time ago (1970), that means sssd logged you in offline and the ccache is a placeholder for when sssd switches to online mode. > > > > I therefore deleted the key: > > > kdestroy -A > > Then I stopped the sssd service, and cleared the cache in /var/lib/sss/db/, > > then restarted sssd > > > > After that I was now able to log on with my ipa user (both direct and via > > ssh). > > > > However I cannot get any other ipa users to logon to this host! --> NOT OK > > The same users can successfully logon to other ipa hosts in the same > > domain. > > > > My ipa user was the one used to enroll the host. > > > > Any ideas? Not without logs, see: </tt><a href="https://fedorahosted.org/sssd/wiki/Troubleshooting"><tt>https://fedorahosted.org/sssd/wiki/Troubleshooting</tt></a><tt> -- Manage your subscription for the Freeipa-users mailing list:</tt><tt> </tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a><tt> Go to </tt><a href="http://freeipa.org/"><tt>http://freeipa.org</tt></a><tt> for more info on the project</tt> [attachment "sssd_logs.zip" deleted by Christopher Lamb/Switzerland/IBM] <tt>-- Manage your subscription for the Freeipa-users mailing list: </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project</tt> </body></html>