On Fri, Feb 03, 2017 at 09:45:34AM +0100, Kees Bakker wrote:
> On 02-02-17 17:32, Jakub Hrozek wrote:
> > On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote:
> >> Hi
> >>
> >> Sorry, I did search wherever I could but I couldn't find it.
> >> How do I enable krb5_child debug log? I'm on an Ubuntu
> >> system which by default writes an empty /var/log/krb5_child.log
> >>
> >> Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What
> >> do I have to add where to get logging in krb5_child.log?
> > add debug_level= to the [domain] section.
> OK. I've done that before with 0x3ff0 , but this time I used level 6
> (which I read somewhere as being the old method). And now I see
> output in krb5_child.log
> Thanks
> What's weird though. On another system I'm doing the exactly same.
> Nothing is logged in krb5_child.log.
> >
> >> BTW. I'm trying to debug a problem that results in
> >>   "Invalid UID in persistent keyring"
> >> The weird thing is, if I become root (via another ssh login) and
> >> then do a "su - user" (the same user with the error), the problem
> >> does not show up. Meanwhile that user keeps getting the above
> >> error (for klist kdestroy, klist).
> > su as root gets automatically authenticated by the pam_rootok.so
> > module..
> >
> Hmm.
> I'm not sure if you understood what I was doing:
> The "root" way
> $ ssh r...@xyz.example.com
> # su - someuser

As you can see you were not prompted for a password. This is the
pam_rootok.so module in action that just flipped the current user to

> $ klist someuser
> klist: Credentials cache keyring 'persistent:1013:1013' not found

This is expected, since pam_sss.so wasn't invoked because the PAM
conversation finished after pam_rootok.so was called.

> $ kinit someuser
> Password for someu...@example.com:
> The latter seems to be working (I can't finish because I don't have that
> password).

Then you won't be able to kinit as the user because you need either to
know the password or have the keytab to decrypt the KDC response with.

> Then, at the very same time user "someuser", on his own login, gets this:
> $ klist
> klist: Invalid UID in persistent keyring name while getting default ccache
> One more thing I should mention. It may be of influence. The "someuser"
> is a local user in /etc/passwd, _and_ it is a user in IPA, with different 
> uid's.
> Could that trigger the error?

Yes, if the UID of the local user and the IPA user differ.

If you need to use the user from passwd and authenticate the user with
his IPA credentials, then you can't use id_provider=ipa in sssd.conf,
but id_provider=proxy and auth_provider=krb5.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to