Re: [Freeipa-users] How to enable krb5_child log
On 03-02-17 10:43, Kees Bakker wrote: > On 03-02-17 10:17, Jakub Hrozek wrote: >> On Fri, Feb 03, 2017 at 09:45:34AM +0100, Kees Bakker wrote: >> >>> Then, at the very same time user "someuser", on his own login, gets this: >>> $ klist >>> klist: Invalid UID in persistent keyring name while getting default ccache >>> >>> One more thing I should mention. It may be of influence. The "someuser" >>> is a local user in /etc/passwd, _and_ it is a user in IPA, with different >>> uid's. >>> Could that trigger the error? >> Yes, if the UID of the local user and the IPA user differ. >> >> If you need to use the user from passwd and authenticate the user with >> his IPA credentials, then you can't use id_provider=ipa in sssd.conf, >> but id_provider=proxy and auth_provider=krb5. >> > Thanks, Jakub. I really appreciate your feedback. > I'll test what you suggested. Alas, still, no success. :-( -- Kees -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to enable krb5_child log
On 03-02-17 10:17, Jakub Hrozek wrote: > On Fri, Feb 03, 2017 at 09:45:34AM +0100, Kees Bakker wrote: >> On 02-02-17 17:32, Jakub Hrozek wrote: >>> On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote: Hi Sorry, I did search wherever I could but I couldn't find it. How do I enable krb5_child debug log? I'm on an Ubuntu system which by default writes an empty /var/log/krb5_child.log Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What do I have to add where to get logging in krb5_child.log? >>> add debug_level= to the [domain] section. >> OK. I've done that before with 0x3ff0 , but this time I used level 6 >> (which I read somewhere as being the old method). And now I see >> output in krb5_child.log >> Thanks >> >> What's weird though. On another system I'm doing the exactly same. >> Nothing is logged in krb5_child.log. >> BTW. I'm trying to debug a problem that results in "Invalid UID in persistent keyring" The weird thing is, if I become root (via another ssh login) and then do a "su - user" (the same user with the error), the problem does not show up. Meanwhile that user keeps getting the above error (for klist kdestroy, klist). >>> su as root gets automatically authenticated by the pam_rootok.so >>> module.. >>> >> Hmm. >> I'm not sure if you understood what I was doing: >> >> The "root" way >> $ ssh r...@xyz.example.com >> # su - someuser > As you can see you were not prompted for a password. This is the > pam_rootok.so module in action that just flipped the current user to > someuser. > >> $ klist someuser >> klist: Credentials cache keyring 'persistent:1013:1013' not found > This is expected, since pam_sss.so wasn't invoked because the PAM > conversation finished after pam_rootok.so was called. Ah, OK. Thanks for clarifying. Learn something new everyday :-) >> $ kinit someuser >> Password for someu...@example.com: >> The latter seems to be working (I can't finish because I don't have that >> password). > Then you won't be able to kinit as the user because you need either to > know the password or have the keytab to decrypt the KDC response with. Yes, I did expect that. >> Then, at the very same time user "someuser", on his own login, gets this: >> $ klist >> klist: Invalid UID in persistent keyring name while getting default ccache >> >> One more thing I should mention. It may be of influence. The "someuser" >> is a local user in /etc/passwd, _and_ it is a user in IPA, with different >> uid's. >> Could that trigger the error? > Yes, if the UID of the local user and the IPA user differ. > > If you need to use the user from passwd and authenticate the user with > his IPA credentials, then you can't use id_provider=ipa in sssd.conf, > but id_provider=proxy and auth_provider=krb5. > Thanks, Jakub. I really appreciate your feedback. I'll test what you suggested. -- Kees -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to enable krb5_child log
On Fri, Feb 03, 2017 at 09:45:34AM +0100, Kees Bakker wrote: > On 02-02-17 17:32, Jakub Hrozek wrote: > > On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote: > >> Hi > >> > >> Sorry, I did search wherever I could but I couldn't find it. > >> How do I enable krb5_child debug log? I'm on an Ubuntu > >> system which by default writes an empty /var/log/krb5_child.log > >> > >> Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What > >> do I have to add where to get logging in krb5_child.log? > > add debug_level= to the [domain] section. > > OK. I've done that before with 0x3ff0 , but this time I used level 6 > (which I read somewhere as being the old method). And now I see > output in krb5_child.log > Thanks > > What's weird though. On another system I'm doing the exactly same. > Nothing is logged in krb5_child.log. > > > > >> BTW. I'm trying to debug a problem that results in > >> "Invalid UID in persistent keyring" > >> The weird thing is, if I become root (via another ssh login) and > >> then do a "su - user" (the same user with the error), the problem > >> does not show up. Meanwhile that user keeps getting the above > >> error (for klist kdestroy, klist). > > su as root gets automatically authenticated by the pam_rootok.so > > module.. > > > > Hmm. > I'm not sure if you understood what I was doing: > > The "root" way > $ ssh r...@xyz.example.com > # su - someuser As you can see you were not prompted for a password. This is the pam_rootok.so module in action that just flipped the current user to someuser. > $ klist someuser > klist: Credentials cache keyring 'persistent:1013:1013' not found This is expected, since pam_sss.so wasn't invoked because the PAM conversation finished after pam_rootok.so was called. > $ kinit someuser > Password for someu...@example.com: > The latter seems to be working (I can't finish because I don't have that > password). Then you won't be able to kinit as the user because you need either to know the password or have the keytab to decrypt the KDC response with. > > Then, at the very same time user "someuser", on his own login, gets this: > $ klist > klist: Invalid UID in persistent keyring name while getting default ccache > > One more thing I should mention. It may be of influence. The "someuser" > is a local user in /etc/passwd, _and_ it is a user in IPA, with different > uid's. > Could that trigger the error? Yes, if the UID of the local user and the IPA user differ. If you need to use the user from passwd and authenticate the user with his IPA credentials, then you can't use id_provider=ipa in sssd.conf, but id_provider=proxy and auth_provider=krb5. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to enable krb5_child log
On 02-02-17 17:32, Jakub Hrozek wrote: > On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote: >> Hi >> >> Sorry, I did search wherever I could but I couldn't find it. >> How do I enable krb5_child debug log? I'm on an Ubuntu >> system which by default writes an empty /var/log/krb5_child.log >> >> Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What >> do I have to add where to get logging in krb5_child.log? > add debug_level= to the [domain] section. OK. I've done that before with 0x3ff0 , but this time I used level 6 (which I read somewhere as being the old method). And now I see output in krb5_child.log Thanks What's weird though. On another system I'm doing the exactly same. Nothing is logged in krb5_child.log. > >> BTW. I'm trying to debug a problem that results in >> "Invalid UID in persistent keyring" >> The weird thing is, if I become root (via another ssh login) and >> then do a "su - user" (the same user with the error), the problem >> does not show up. Meanwhile that user keeps getting the above >> error (for klist kdestroy, klist). > su as root gets automatically authenticated by the pam_rootok.so > module.. > Hmm. I'm not sure if you understood what I was doing: The "root" way $ ssh r...@xyz.example.com # su - someuser $ klist someuser klist: Credentials cache keyring 'persistent:1013:1013' not found $ kinit someuser Password for someu...@example.com: The latter seems to be working (I can't finish because I don't have that password). Then, at the very same time user "someuser", on his own login, gets this: $ klist klist: Invalid UID in persistent keyring name while getting default ccache One more thing I should mention. It may be of influence. The "someuser" is a local user in /etc/passwd, _and_ it is a user in IPA, with different uid's. Could that trigger the error? -- Kees -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to enable krb5_child log
On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote: > Hi > > Sorry, I did search wherever I could but I couldn't find it. > How do I enable krb5_child debug log? I'm on an Ubuntu > system which by default writes an empty /var/log/krb5_child.log > > Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What > do I have to add where to get logging in krb5_child.log? add debug_level= to the [domain] section. > > BTW. I'm trying to debug a problem that results in > "Invalid UID in persistent keyring" > The weird thing is, if I become root (via another ssh login) and > then do a "su - user" (the same user with the error), the problem > does not show up. Meanwhile that user keeps getting the above > error (for klist kdestroy, klist). su as root gets automatically authenticated by the pam_rootok.so module.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to enable krb5_child log
Hi Sorry, I did search wherever I could but I couldn't find it. How do I enable krb5_child debug log? I'm on an Ubuntu system which by default writes an empty /var/log/krb5_child.log Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What do I have to add where to get logging in krb5_child.log? BTW. I'm trying to debug a problem that results in "Invalid UID in persistent keyring" The weird thing is, if I become root (via another ssh login) and then do a "su - user" (the same user with the error), the problem does not show up. Meanwhile that user keeps getting the above error (for klist kdestroy, klist). -- Kees -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project