Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
Now it works: First I edited /etc/login.defs UID_MIN to 500 Then I ran "authconfig --update" to make the change(s) to login.defs active. After that, users with uids >=500 were able to login again. In our case we have both system users (application) and "long term employees, user account predates LDAP" with such low ids. Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Sumit Bose <sb...@redhat.com> Cc: freeipa-users@redhat.com Date: 19.11.2015 11:20 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 Sent by:freeipa-users-boun...@redhat.com Hi Sumit Thanks, I too have found /etc/login.defs https://fedoraproject.org/wiki/Features/1000SystemAccounts I have changed the UID_MIN to 500, and rebooted, but it seems to have no effect. Reading between the lines in the link above, it looks like this value may have to be set pre-install. Maybe I need to do something else to change the value? Chris Inactive hide details for Sumit Bose ---19.11.2015 10:38:49---On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:Sumit Bose ---19.11.2015 10:38:49---On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI From: Sumit Bose <sb...@redhat.com> To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Jakub Hrozek <jhro...@redhat.com>, freeipa-users@redhat.com Date: 19.11.2015 10:38 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI > > The plot thickens. I think I actually have 2 issues: > > The first issue is that in the title of this thread, and was caused by "the > wrong kernel". > > The second issue, that some ipa users cannot log on (but mine can), is > (probably) unrelated. > > The clue was my point below "no obvious horrible error". > > That led my to look in /var/log/secure, where I found the following: > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=xx.my-domain.xx.domain.com user=bimbo > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): > requirement "uid >= 1000" not met by user "bimbo" > Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from > 9.164.17.110 port 49332 ssh2 > > Both my user, and an additional test user this morning have uids > 1000, > and can successfully login -->OK > > The 2 other users I tested with yesterday (one application user, and one > real user) have ids < 1000, and therefore (on this host) cannot logon. > > Now I need to google further to find where this rule is configured / > hidden. The '1000' is written by authconfig into the pam configuration. Afaik authconfig uses the UID_MIN form /etc/login.defs here. HTH bye, Sumit > > Cheers > > Chris > > > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: Jakub Hrozek <jhro...@redhat.com> > Cc: freeipa-users@redhat.com > Date: 19.11.2015 10:05 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > while getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > Hi Jakub > > I have restarted sssd with debug_level=6 > > Then I made one (failed) attempt to login via ssh with the user "bimbo". > > Logs, anonymised are attached. > > To my untrained eyes, nothing shouts "horrible error" to me. > > Chris > > (See attached file: sssd_logs.zip) > > > Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov > 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek > ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, > Christopher Lamb wrote: > > > From: Jakub Hrozek <jhro...@redhat.com> > To: freeipa-users@redhat.com > Date: 18.11.2015 19:30 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while > getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to > 7.1) > > The ipa-client is installed, making this server an ipa host. > > > > > > > > > getent passwd > > > > is successful for ipa users. -->OK > > > > However I cannot log on to the host with ipa users (direct or ssh). --> > NOT > > > > OK > > > > > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > &g
Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
HI The plot thickens. I think I actually have 2 issues: The first issue is that in the title of this thread, and was caused by "the wrong kernel". The second issue, that some ipa users cannot log on (but mine can), is (probably) unrelated. The clue was my point below "no obvious horrible error". That led my to look in /var/log/secure, where I found the following: Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.my-domain.xx.domain.com user=bimbo Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "bimbo" Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from 9.164.17.110 port 49332 ssh2 Both my user, and an additional test user this morning have uids > 1000, and can successfully login -->OK The 2 other users I tested with yesterday (one application user, and one real user) have ids < 1000, and therefore (on this host) cannot logon. Now I need to google further to find where this rule is configured / hidden. Cheers Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Jakub Hrozek <jhro...@redhat.com> Cc: freeipa-users@redhat.com Date: 19.11.2015 10:05 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 Sent by:freeipa-users-boun...@redhat.com Hi Jakub I have restarted sssd with debug_level=6 Then I made one (failed) attempt to login via ssh with the user "bimbo". Logs, anonymised are attached. To my untrained eyes, nothing shouts "horrible error" to me. Chris (See attached file: sssd_logs.zip) Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > From: Jakub Hrozek <jhro...@redhat.com> To: freeipa-users@redhat.com Date: 18.11.2015 19:30 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 Sent by: freeipa-users-boun...@redhat.com On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to 7.1) > The ipa-client is installed, making this server an ipa host. > > > > > getent passwd > > is successful for ipa users. -->OK > > However I cannot log on to the host with ipa users (direct or ssh). --> NOT > > OK > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > "> systemctl status sssd" and "> kinit" > > both show: > > “Invalid UID in persistent keyring name while getting default cache.” > > > > Having googled with this error, I saw some indications that it could be > > related to the kernel. > > https://bugzilla.redhat.com/show_bug.cgi?id=1017683 > > https://bugzilla.redhat.com/show_bug.cgi?id=1029110 > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > thought, let’s change back to the standard RHEL kernel. > > After a reboot with the RHEL kernel, I was still not able to log in with my > > ipa user. > > > > I then logged on as root, and changed to my ipa user via su. > > > klist -l > > produced: > > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) I'm surprised you had any ccache at all, because login as root bypasses PAM. But in general, if you login with sssd and the cache is expired a long time ago (1970), that means sssd logged you in offline and the ccache is a placeholder for when sssd switches to online mode. > > > > I therefore deleted the key: > > > kdestroy -A > > Then I stopped the sssd service, and cleared the cache in /var/lib/sss/db/, > > then restarted sssd > > > > After that I was now able to log on with my ipa user (both direct and via > > ssh). > > > > However I cannot get any other ipa users to logon to this host! --> NOT OK > > The same users can successfully logon to other ipa hosts in the same > > domain. > > > > My ipa user was the one used to enroll the host. > > > > Any ideas? Not without logs, see: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project [attachment "sssd_logs.zip" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI > > The plot thickens. I think I actually have 2 issues: > > The first issue is that in the title of this thread, and was caused by "the > wrong kernel". > > The second issue, that some ipa users cannot log on (but mine can), is > (probably) unrelated. > > The clue was my point below "no obvious horrible error". > > That led my to look in /var/log/secure, where I found the following: > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=xx.my-domain.xx.domain.com user=bimbo > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): > requirement "uid >= 1000" not met by user "bimbo" > Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from > 9.164.17.110 port 49332 ssh2 > > Both my user, and an additional test user this morning have uids > 1000, > and can successfully login -->OK > > The 2 other users I tested with yesterday (one application user, and one > real user) have ids < 1000, and therefore (on this host) cannot logon. > > Now I need to google further to find where this rule is configured / > hidden. The '1000' is written by authconfig into the pam configuration. Afaik authconfig uses the UID_MIN form /etc/login.defs here. HTH bye, Sumit > > Cheers > > Chris > > > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: Jakub Hrozek <jhro...@redhat.com> > Cc: freeipa-users@redhat.com > Date: 19.11.2015 10:05 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > while getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > Hi Jakub > > I have restarted sssd with debug_level=6 > > Then I made one (failed) attempt to login via ssh with the user "bimbo". > > Logs, anonymised are attached. > > To my untrained eyes, nothing shouts "horrible error" to me. > > Chris > > (See attached file: sssd_logs.zip) > > > Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov > 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek > ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, > Christopher Lamb wrote: > > > From: Jakub Hrozek <jhro...@redhat.com> > To: freeipa-users@redhat.com > Date: 18.11.2015 19:30 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while > getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to > 7.1) > > The ipa-client is installed, making this server an ipa host. > > > > > > > > > getent passwd > > > > is successful for ipa users. -->OK > > > > However I cannot log on to the host with ipa users (direct or ssh). --> > NOT > > > > OK > > > > > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > > > > > "> systemctl status sssd" and "> kinit" > > > > both show: > > > > “Invalid UID in persistent keyring name while getting default cache.” > > > > > > > > Having googled with this error, I saw some indications that it could be > > > > related to the kernel. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1017683 > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1029110 > > > > > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > > > thought, let’s change back to the standard RHEL kernel. > > > > After a reboot with the RHEL kernel, I was still not able to log in with > my > > > > ipa user. > > > > > > > > I then logged on as root, and changed to my ipa user via su. > > > > > klist -l > > > > produced: > > > > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) > > I'm surprised you had any ccache at all, because login as root bypasses > PAM. > > But in general, if you login with sssd and the cache is expired a long > time ago (1970), that means sssd logged you in offline and the ccache is > a placeholder for when sssd switches to online mode. > > > > > > > > > I therefore deleted the key: > > > > > kdestroy -A > > > >
Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
On Thu, Nov 19, 2015 at 11:28:10AM +0100, Christopher Lamb wrote: > Now it works: > > First I edited /etc/login.defs UID_MIN to 500 > > Then I ran "authconfig --update" to make the change(s) to login.defs > active. yes, it is expected that you have to run authconfig after changing the value in login.defs to update the pam configuration. bye, Sumit > > After that, users with uids >=500 were able to login again. > > In our case we have both system users (application) and "long term > employees, user account predates LDAP" with such low ids. > > Chris > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: Sumit Bose <sb...@redhat.com> > Cc: freeipa-users@redhat.com > Date: 19.11.2015 11:20 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > while getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > Hi Sumit > > Thanks, I too have found /etc/login.defs > > https://fedoraproject.org/wiki/Features/1000SystemAccounts > > I have changed the UID_MIN to 500, and rebooted, but it seems to have no > effect. > > Reading between the lines in the link above, it looks like this value may > have to be set pre-install. > > Maybe I need to do something else to change the value? > > Chris > > > > > > Inactive hide details for Sumit Bose ---19.11.2015 10:38:49---On Thu, Nov > 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:Sumit Bose > ---19.11.2015 10:38:49---On Thu, Nov 19, 2015 at 10:25:02AM +0100, > Christopher Lamb wrote: > HI > > From: Sumit Bose <sb...@redhat.com> > To: Christopher Lamb/Switzerland/IBM@IBMCH > Cc: Jakub Hrozek <jhro...@redhat.com>, freeipa-users@redhat.com > Date: 19.11.2015 10:38 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while > getting default cache. on OEL 7.1 > > > > On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > > HI > > > > The plot thickens. I think I actually have 2 issues: > > > > The first issue is that in the title of this thread, and was caused by > "the > > wrong kernel". > > > > The second issue, that some ipa users cannot log on (but mine can), is > > (probably) unrelated. > > > > The clue was my point below "no obvious horrible error". > > > > That led my to look in /var/log/secure, where I found the following: > > > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=xx.my-domain.xx.domain.com user=bimbo > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): > > requirement "uid >= 1000" not met by user "bimbo" > > Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from > > 9.164.17.110 port 49332 ssh2 > > > > Both my user, and an additional test user this morning have uids > 1000, > > and can successfully login -->OK > > > > The 2 other users I tested with yesterday (one application user, and one > > real user) have ids < 1000, and therefore (on this host) cannot logon. > > > > Now I need to google further to find where this rule is configured / > > hidden. > > The '1000' is written by authconfig into the pam configuration. Afaik > authconfig uses the UID_MIN form /etc/login.defs here. > > HTH > > bye, > Sumit > > > > > Cheers > > > > Chris > > > > > > > > > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > > To: Jakub Hrozek <jhro...@redhat.com> > > Cc: freeipa-users@redhat.com > > Date: 19.11.2015 10:05 > > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > > while getting default cache. on OEL 7.1 > > Sent by: freeipa-users-boun...@redhat.com > > > > > > > > Hi Jakub > > > > I have restarted sssd with debug_level=6 > > > > Then I made one (failed) attempt to login via ssh with the user "bimbo". > > > > Logs, anonymised are attached. > > > > To my untrained eyes, nothing shouts "horrible error" to me. > > > > Chris > > > > (See attached file: sssd_logs.zip) > > > > > > Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, > Nov > > 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek > > ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, > > Christopher Lamb wrote: > > > &
Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
Hi Sumit Thanks, I too have found /etc/login.defs https://fedoraproject.org/wiki/Features/1000SystemAccounts I have changed the UID_MIN to 500, and rebooted, but it seems to have no effect. Reading between the lines in the link above, it looks like this value may have to be set pre-install. Maybe I need to do something else to change the value? Chris From: Sumit Bose <sb...@redhat.com> To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Jakub Hrozek <jhro...@redhat.com>, freeipa-users@redhat.com Date: 19.11.2015 10:38 Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1 On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI > > The plot thickens. I think I actually have 2 issues: > > The first issue is that in the title of this thread, and was caused by "the > wrong kernel". > > The second issue, that some ipa users cannot log on (but mine can), is > (probably) unrelated. > > The clue was my point below "no obvious horrible error". > > That led my to look in /var/log/secure, where I found the following: > > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=xx.my-domain.xx.domain.com user=bimbo > Nov 19 09:06:59 my-ipahost sshd[6075]: pam_succeed_if(sshd:auth): > requirement "uid >= 1000" not met by user "bimbo" > Nov 19 09:07:01 my-ipahost sshd[6075]: Failed password for bimbo from > 9.164.17.110 port 49332 ssh2 > > Both my user, and an additional test user this morning have uids > 1000, > and can successfully login -->OK > > The 2 other users I tested with yesterday (one application user, and one > real user) have ids < 1000, and therefore (on this host) cannot logon. > > Now I need to google further to find where this rule is configured / > hidden. The '1000' is written by authconfig into the pam configuration. Afaik authconfig uses the UID_MIN form /etc/login.defs here. HTH bye, Sumit > > Cheers > > Chris > > > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: Jakub Hrozek <jhro...@redhat.com> > Cc: freeipa-users@redhat.com > Date: 19.11.2015 10:05 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name > while getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > Hi Jakub > > I have restarted sssd with debug_level=6 > > Then I made one (failed) attempt to login via ssh with the user "bimbo". > > Logs, anonymised are attached. > > To my untrained eyes, nothing shouts "horrible error" to me. > > Chris > > (See attached file: sssd_logs.zip) > > > Inactive hide details for Jakub Hrozek ---18.11.2015 19:30:29---On Wed, Nov > 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrotJakub Hrozek > ---18.11.2015 19:30:29---On Wed, Nov 18, 2015 at 04:34:39PM +0100, > Christopher Lamb wrote: > > > From: Jakub Hrozek <jhro...@redhat.com> > To: freeipa-users@redhat.com > Date: 18.11.2015 19:30 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name while > getting default cache. on OEL 7.1 > Sent by: freeipa-users-boun...@redhat.com > > > > On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to > 7.1) > > The ipa-client is installed, making this server an ipa host. > > > > > > > > > getent passwd > > > > is successful for ipa users. -->OK > > > > However I cannot log on to the host with ipa users (direct or ssh). --> > NOT > > > > OK > > > > > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > > > > > "> systemctl status sssd" and "> kinit" > > > > both show: > > > > “Invalid UID in persistent keyring name while getting default cache.” > > > > > > > > Having googled with this error, I saw some indications that it could be > > > > related to the kernel. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1017683 > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1029110 > > > > > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > > > thought, let’s change back to the standard RHEL kernel. > > > > After a reboot with the RHEL kernel, I was still not able to lo
Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1
On Wed, Nov 18, 2015 at 04:34:39PM +0100, Christopher Lamb wrote: > > I have a newly installed OEL 7.1 server (7.0 DVD, then yum updated to 7.1) > The ipa-client is installed, making this server an ipa host. > > > > > getent passwd > > is successful for ipa users. -->OK > > However I cannot log on to the host with ipa users (direct or ssh). -->NOT > > OK > > > > When logged on as root (local user), I can “su -“ to my ipa user. -->OK > > > > "> systemctl status sssd" and "> kinit" > > both show: > > “Invalid UID in persistent keyring name while getting default cache.” > > > > Having googled with this error, I saw some indications that it could be > > related to the kernel. > > https://bugzilla.redhat.com/show_bug.cgi?id=1017683 > > https://bugzilla.redhat.com/show_bug.cgi?id=1029110 > > > > For a fresh OEL install, the default kernel is the uek version. "Aha" I > > thought, let’s change back to the standard RHEL kernel. > > After a reboot with the RHEL kernel, I was still not able to log in with my > > ipa user. > > > > I then logged on as root, and changed to my ipa user via su. > > > klist -l > > produced: > > KEYRING:persistent:93397:krb_cache_76B9lf2 (Expired) I'm surprised you had any ccache at all, because login as root bypasses PAM. But in general, if you login with sssd and the cache is expired a long time ago (1970), that means sssd logged you in offline and the ccache is a placeholder for when sssd switches to online mode. > > > > I therefore deleted the key: > > > kdestroy -A > > Then I stopped the sssd service, and cleared the cache in /var/lib/sss/db/, > > then restarted sssd > > > > After that I was now able to log on with my ipa user (both direct and via > > ssh). > > > > However I cannot get any other ipa users to logon to this host! --> NOT OK > > The same users can successfully logon to other ipa hosts in the same > > domain. > > > > My ipa user was the one used to enroll the host. > > > > Any ideas? Not without logs, see: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project