I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to 7.1)
The ipa-client is installed, making this server an ipa host.



> getent passwd xxxx

is successful for ipa users.  -->OK

However I cannot log on to the host with ipa users (direct or ssh). -->NOT

OK



When logged on as root (local user), I can “su -“ to my ipa user. -->OK



"> systemctl status sssd" and "> kinit"

both show:

“Invalid UID in persistent keyring name while getting default cache.”



Having googled with this error, I saw some indications that it could be

related to the kernel.

https://bugzilla.redhat.com/show_bug.cgi?id=1017683

https://bugzilla.redhat.com/show_bug.cgi?id=1029110



For a fresh OEL install, the default kernel is the uek version. "Aha" I

thought, let’s change back to the standard RHEL kernel.

After a reboot with the RHEL kernel, I was still not able to log in with my

ipa user.



I then logged on as root, and changed to my ipa user via su.

> klist -l

produced:

KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired)



I therefore deleted the key:

> kdestroy -A

Then I stopped the sssd service, and cleared the cache in /var/lib/sss/db/,

then restarted sssd



After that I was now able to log on with my ipa user (both direct and via

ssh).



However I cannot get any other ipa users to logon to this host!  --> NOT OK

The same users can successfully logon to other ipa hosts in the same

domain.



My ipa user was the one used to enroll the host.



Any ideas?



sssd version = 1.12.2 58.el7_1.18

ipa-client version = 4.1.0 18.0.1.el7_1.4



kernels:

Oracle Linux Server, with Unbreakable Enterprise Kernel

3.8.13-98.5.2.el7uek.x86_64

Oracle Linux Server, with Linux 3.10.0-229.20.1.el7.x86_64
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to