On Thu, Nov 19, 2015 at 11:28:10AM +0100, Christopher Lamb wrote:
> Now it works:
> 
> First I edited /etc/login.defs UID_MIN to 500
> 
> Then I ran "authconfig --update" to make the change(s) to login.defs
> active.

yes, it is expected that you have to run authconfig after changing the
value in login.defs to update the pam configuration.

bye,
Sumit

> 
> After that, users with uids >=500 were able to login again.
> 
> In our case we have both system users (application) and "long term
> employees, user account predates LDAP" with such low ids.
> 
> Chris
> 
> 
> 
> From: Christopher Lamb/Switzerland/IBM@IBMCH
> To:   Sumit Bose <sb...@redhat.com>
> Cc:   freeipa-users@redhat.com
> Date: 19.11.2015 11:20
> Subject:      Re: [Freeipa-users] Invalid UID in persistent keyring name
>             while getting default cache. on OEL 7.1
> Sent by:      freeipa-users-boun...@redhat.com
> 
> 
> 
> Hi Sumit
> 
> Thanks, I too have found /etc/login.defs
> 
> https://fedoraproject.org/wiki/Features/1000SystemAccounts
> 
> I have changed the UID_MIN to 500, and rebooted, but it seems to have no
> effect.
> 
> Reading between the lines in the link above, it looks like this value may
> have to be set pre-install.
> 
> Maybe I need to do something else to change the value?
> 
> Chris
> 
> 
> 
> 
> 
> Inactive hide details for Sumit Bose ---19.11.2015 10:38:49---On Thu, Nov
> 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:Sumit Bose
> ---19.11.2015 10:38:49---On Thu, Nov 19, 2015 at 10:25:02AM +0100,
> Christopher Lamb wrote: > HI
> 
> From: Sumit Bose <sb...@redhat.com>
> To: Christopher Lamb/Switzerland/IBM@IBMCH
> Cc: Jakub Hrozek <jhro...@redhat.com>, freeipa-users@redhat.com
> Date: 19.11.2015 10:38
> Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while
> getting default cache. on OEL 7.1
> 
> 
> 
> On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:
> > HI
> >
> > The plot thickens. I think I actually have 2 issues:
> >
> > The first issue is that in the title of this thread, and was caused by
> "the
> > wrong kernel".
> >
> > The second issue, that some ipa users cannot log on (but mine can), is
> > (probably) unrelated.
> >
> > The clue was my point below "no obvious horrible error".
> >
> > That led my to look in /var/log/secure, where I found the following:
> >
> > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth):
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=xxxxxx.my-domain.xx.domain.com  user=bimbo
> > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth):
> > requirement "uid >= 1000" not met by user "bimbo"
> > Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from
> > 9.164.17.110 port 49332 ssh2
> >
> > Both my user, and an additional test user this morning have uids > 1000,
> > and can successfully login -->OK
> >
> > The 2 other users I tested with yesterday (one application user, and one
> > real user) have ids < 1000, and therefore (on this host) cannot logon.
> >
> > Now I need to google further to find where this rule is configured /
> > hidden.
> 
> The '1000' is written by authconfig into the pam configuration. Afaik
> authconfig uses the UID_MIN form /etc/login.defs here.
> 
> HTH
> 
> bye,
> Sumit
> 
> >
> > Cheers
> >
> > Chris
> >
> >
> >
> >
> >
> > From: Christopher Lamb/Switzerland/IBM@IBMCH
> > To: Jakub Hrozek <jhro...@redhat.com>
> > Cc: freeipa-users@redhat.com
> > Date: 19.11.2015 10:05
> > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name
> >             while getting default cache. on OEL 7.1
> > Sent by: freeipa-users-boun...@redhat.com
> >
> >
> >
> > Hi Jakub
> >
> > I have restarted sssd with debug_level=6
> >
> > Then I made one (failed) attempt to login via ssh with the user "bimbo".
> >
> > Logs, anonymised are attached.
> >
> > To my untrained eyes, nothing shouts "horrible error" to me.
> >
> > Chris
> >
> > (See attached file: sssd_logs.zip)
> >
> >
> > Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed,
> Nov
> > 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek
> > ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100,
> > Christopher Lamb wrote: >
> >
> > From: Jakub Hrozek <jhro...@redhat.com>
> > To: freeipa-users@redhat.com
> > Date: 18.11.2015 19:30
> > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while
> > getting default cache. on OEL 7.1
> > Sent by: freeipa-users-boun...@redhat.com
> >
> >
> >
> > On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote:
> > >
> > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to
> > 7.1)
> > > The ipa-client is installed, making this server an ipa host.
> > >
> > >
> > >
> > > > getent passwd xxxx
> > >
> > > is successful for ipa users.  -->OK
> > >
> > > However I cannot log on to the host with ipa users (direct or ssh). -->
> > NOT
> > >
> > > OK
> > >
> > >
> > >
> > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK
> > >
> > >
> > >
> > > "> systemctl status sssd" and "> kinit"
> > >
> > > both show:
> > >
> > > “Invalid UID in persistent keyring name while getting default cache.”
> > >
> > >
> > >
> > > Having googled with this error, I saw some indications that it could be
> > >
> > > related to the kernel.
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1017683
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1029110
> > >
> > >
> > >
> > > For a fresh OEL install, the default kernel is the uek version. "Aha" I
> > >
> > > thought, let’s change back to the standard RHEL kernel.
> > >
> > > After a reboot with the RHEL kernel, I was still not able to log in
> with
> > my
> > >
> > > ipa user.
> > >
> > >
> > >
> > > I then logged on as root, and changed to my ipa user via su.
> > >
> > > > klist -l
> > >
> > > produced:
> > >
> > > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired)
> >
> > I'm surprised you had any ccache at all, because login as root bypasses
> > PAM.
> >
> > But in general, if you login with sssd and the cache is expired a long
> > time ago (1970), that means sssd logged you in offline and the ccache is
> > a placeholder for when sssd switches to online mode.
> >
> > >
> > >
> > >
> > > I therefore deleted the key:
> > >
> > > > kdestroy -A
> > >
> > > Then I stopped the sssd service, and cleared the cache
> > in /var/lib/sss/db/,
> > >
> > > then restarted sssd
> > >
> > >
> > >
> > > After that I was now able to log on with my ipa user (both direct and
> via
> > >
> > > ssh).
> > >
> > >
> > >
> > > However I cannot get any other ipa users to logon to this host!  -->
> NOT
> > OK
> > >
> > > The same users can successfully logon to other ipa hosts in the same
> > >
> > > domain.
> > >
> > >
> > >
> > > My ipa user was the one used to enroll the host.
> > >
> > >
> > >
> > > Any ideas?
> >
> > Not without logs, see:
> >    https://fedorahosted.org/sssd/wiki/Troubleshooting
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> > [attachment "sssd_logs.zip" deleted by Christopher Lamb/Switzerland/IBM]
> --
> >
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> 
> 
> 
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to