On Wed, Jun 20, 2018 at 01:15:24PM -0000, Bart via FreeIPA-users wrote: > Hi all, > > I have set up ipa server, established trust with an ad controller and > enrolled a couple of clients to it. > I have a problem understanding how to properly set up ssh pubkey > authentication when it comes to caching. > The issue is that when I upload the key to the server (via the web ui, for an > AD user) and later delete this key (also via the web UI) I still can log in > on a client machine for a couple of days using my private ssh key part. The > command sss_ssh_authorizedkeys ad_user shows the correct key on both server > and a client. Even after I delete manually cache files on the client, then > sss_ssh_authorizedkeys displays the correct key.
Which version of SSSD are you using? The issue sounds like https://pagure.io/SSSD/sssd/issue/3602. bye, Sumit > > In a trial and error process of debugging it I added entry_cache_user_timeout > = 60 to every section of sssd.conf on a client but it did not change much the > situation described above. > > I assume that this is due to the caching settings on the server side (I guess > user entries are still present in the sssd cache yet they are not visible in > the web ui). > Can someone please point me to the sssd cache settings that would cause ssh > keys to stop from working within a reasonable time after they were deleted? > Below I paste sanitized sssd config for the server: > > [domain/ipa.domain/ad.domain] > debug_level = 10 > # Enable short names without full domain > use_fully_qualified_names = False > ad_server = ad-1.ad.domain,ad-2.ad.domain > #cache_first = True > > [domain/ipa.domain] > ad_server = ad-1.ad.domain,ad-2.ad.domain > debug_level = 10 > id_provider = ipa > ipa_server_mode = True > ipa_server = ipa-server.ipa.domain > ipa_domain = ipa.domain > ipa_hostname = ipa-server.ipa.domain > auth_provider = ipa > chpass_provider = ipa > access_provider = ipa > cache_credentials = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_store_password_if_offline = True > > enumerate = False > subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout > ignore_group_members = True > ldap_purge_cache_timeout = 0 > #cache_first = True > > [sssd] > debug_level = 10 > domain_resolution_order = ad.domain, ipa.domain > services = nss, pam, ifp, ssh, sudo > domains = ipa.domain > > [nss] > debug_level = 10 > filter_users = root,fedora > > homedir_substring = /home > memcache_timeout = 600 > entry_negative_timeout = 3600 > override_shell = /bin/bash > override_homedir = /home/%u > homedir_substring = /home > > > > [pam] > debug_level = 10 > > [sudo] > debug_level = 10 > > [autofs] > debug_level = 10 > > [ssh] > debug_level = 10 > > [pac] > debug_level = 10 > > [ifp] > debug_level = 10 > > [secrets] > debug_level = 10 > > [session_recording] > debug_level = 10 > > and the client: > > [domain/ipa.domain/ad.domain] > entry_cache_user_timeout = 60 > debug_level = 10 > # Enable short names without full domain > use_fully_qualified_names = False > subdomain_homedir = /home/%u > selinux_provider = none > ad_enable_gc = false > ad_server = ad-1.ad.domain,ad-2.ad.domain > > > [domain/ipa.domain] > entry_cache_user_timeout = 60 > debug_level = 9 > ad_enable_gc = false > subdomain_homedir = /home/%u > # Optimization > selinux_provider = none > subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout > ignore_group_members = True > cache_first = True > ldap_purge_cache_timeout = 0 > ldap_sudo_smart_refresh_interval = 60 > ldap_sudo_full_refresh_interval = 21600 > > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ipa.domain > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = ipa-client.ipa.domain > chpass_provider = ipa > ipa_server = _srv_, ipa-server.ipa.domain > dns_discovery_domain = ipa.domain > [sssd] > entry_cache_user_timeout = 60 > domain_resolution_order = ad.domain,ipa.domain > services = nss, sudo, pam, ssh > > domains = ipa.domain > entry_cache_user_timeout = 60 > [nss] > entry_cache_user_timeout = 60 > override_shell = /bin/bash > override_homedir = /home/%u > filter_users = root,fedora > homedir_substring = /home > > [pam] > entry_cache_user_timeout = 60 > debug_level = 9 > > [sudo] > entry_cache_user_timeout = 60 > debug_level = 9 > > [autofs] > > [ssh] > entry_cache_user_timeout = 60 > debug_level = 9 > > [pac] > debug_level = 9 > > > [ifp] > debug_level = 9 > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/PMGJBQ3ROP3CAZO5CF7REDETEMUGG3LT/ _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/DAFPDEILGFUZMOFAGSNZ5MGISSRUCNSW/
