OK, then no wonder sssd can’t see load the attributes. Are the attributes present in the user entry? If you call ipa user-show you should see them.
If the attributes are there, but are not saved, then the sssd domain logs might have an idea what went wrong. > On 9 Aug 2018, at 10:44, Peter Viskup <skupko...@gmail.com> wrote: > > No the pubkey attribute is not there. Tried to clean/invalidate the > cache, but didn't help. > This is the complete cache entry: > > dn: name=ipauser@domain,cn=users,cn=domain,cn=sysdb > createTimestamp: 1517403271 > fullName: Ipa User > gecos: Ipa User > gidNumber: 1462000031 > homeDirectory: /home/ipauser > loginShell: /bin/bash > name: ipauser@domain > objectClass: user > uidNumber: 1462000031 > originalDN: uid=ipauser,cn=users,cn=accounts,dc=domain,dc=com > userPrincipalName: ipauser@domain > mail: ipau...@domain.com > nameAlias: ipauser@domain > memberof: name=nou-jumpis-users@domain,cn=groups,cn=domain,cn=sysdb > memberof: name=ou-internal-security@domain,cn=groups,cn=domain,cn=sysdb > memberof: > name=nou-internal-security-builders@domain,cn=groups,cn=domain,cn=sysdb > initgrExpireTimestamp: 1517403331 > originalMemberOf: > cn=nou-internal-security-builders,cn=groups,cn=accounts,dc=domain,dc=com > originalMemberOf: > ipaUniqueID=e341f66a-e4c9-11e7-b40b-005056ab0ca4,cn=sudorules,cn=sudo,dc=domain,dc=com > originalMemberOf: > cn=ou-internal-security,cn=groups,cn=accounts,dc=domain,dc=com > originalMemberOf: > ipaUniqueID=5acc123e-d5b5-11e7-9af8-005056ab0ca4,cn=hbac,dc=domain,dc=com > originalMemberOf: cn=nou-jumpis-users,cn=groups,cn=accounts,dc=domain,dc=com > originalMemberOf: > ipaUniqueID=dd273a22-d5b7-11e7-88bc-005056ab0ca4,cn=hbac,dc=domain,dc=com > originalMemberOf: > ipaUniqueID=4af6ee94-d5bd-11e7-9d4a-005056ab0ca4,cn=hbac,dc=domain,dc=com > originalMemberOf: > ipaUniqueID=3a9d728a-e4c6-11e7-88bc-005056ab0ca4,cn=sudorules,cn=sudo,dc=domain,dc=com > originalMemberOf: > ipaUniqueID=d03e4b9a-fc4d-11e7-a5c4-005056ab0ca4,cn=sudorules,cn=sudo,dc=domain,dc=com > originalMemberOf: > ipaUniqueID=43cb7646-1198-11e8-891e-005056ab0ca4,cn=hbac,dc=domain,dc=com > ccacheFile: FILE:/tmp/krb5cc_1462000031_Aqw31Q > krbLastPwdChange: 20180530070315Z > krbPasswordExpiration: 20180828070315Z > originalModifyTimestamp: 20180808100017Z > entryUSN: 252945251 > lastUpdate: 1533722422 > dataExpireTimestamp: 1533722482 > distinguishedName: name=ipauser@domain,cn=users,cn=domain,cn=sysdb > > # returned 1 records > # 1 entries > # 0 referrals > > On Thu, Aug 9, 2018 at 9:18 AM, Jakub Hrozek <jhro...@redhat.com> wrote: >> If you search the cache with ldbsearch -H /var/lib/sss/db/cache_domain.ldb >> does the user have the pubkey attribute? >> >>> On 8 Aug 2018, at 11:02, Peter Viskup via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org> wrote: >>> >>> On Debian 9 client the sss_ssh_authorizedkeys command returns empty >>> list. But the ipauser has SSH key in its IPA profile setup via web UI. >>> Debug log does not point to any error: >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [get_client_cred] (0x4000): >>> Client creds: euid[65534] egid[65534] pid[11834]. >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [get_client_cred] (0x0080): The >>> following failure is expected to happen in case SELinux is disabled: >>> SELINUX_getpeercon failed [92][Protocol not available]. >>> Please, consider enabling SELinux in your system. >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [setup_client_idle_timer] >>> (0x4000): Idle timer re-set for client [0x56353b9b65a0][18] >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [accept_fd_handler] (0x0400): >>> Client connected! >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_cmd_get_version] (0x0200): >>> Received client version [0]. >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_cmd_get_version] (0x0200): >>> Offered version [0]. >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_cmd_parse_request] >>> (0x0400): Requested domain [DOMAIN] >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_cmd_parse_request] >>> (0x0400): Parsing name [ipauser][DOMAIN] >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_parse_name_for_domains] >>> (0x0200): name 'ipauser' matched without domain, user is ipauser >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_parse_name_for_domains] >>> (0x0200): using default domain [DOMAIN] >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] >>> (0x0400): Requesting SSH user public keys for [ipauser] from [DOMAIN] >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_issue_request] >>> (0x0400): Issuing request for [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_get_account_msg] >>> (0x0400): Creating request for >>> [DOMAIN][0x1][BE_REQ_USER][name=ipauser@DOMAIN:-] >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_add_timeout] (0x2000): >>> 0x56353b9b8fc0 >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_internal_get_send] >>> (0x0400): Entering request [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_remove_timeout] (0x2000): >>> 0x56353b9b8fc0 >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus >>> conn: 0x56353b9af060 >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): >>> Dispatching. >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_get_reply] (0x1000): >>> Got reply from Data Provider - DP error code: 0 errno: 0 error >>> message: Success >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_user_pubkeys_search_next] >>> (0x0400): Requesting SSH user public keys for [ipauser@DOMAIN] >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed >>> event "ltdb_callback": 0x56353b9bdcd0 >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed >>> event "ltdb_timeout": 0x56353b9bdd90 >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Running timer >>> event 0x56353b9bdcd0 "ltdb_callback" >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Destroying >>> timer event 0x56353b9bdd90 "ltdb_timeout" >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Ending timer >>> event 0x56353b9bdcd0 "ltdb_callback" >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed >>> event "ltdb_callback": 0x56353b9b90e0 >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed >>> event "ltdb_timeout": 0x56353b9b98e0 >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Running timer >>> event 0x56353b9b90e0 "ltdb_callback" >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Destroying >>> timer event 0x56353b9b98e0 "ltdb_timeout" >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Ending timer >>> event 0x56353b9b90e0 "ltdb_callback" >>> >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_req_destructor] >>> (0x0400): Deleting request: [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [client_recv] (0x0200): Client >>> disconnected! >>> (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [client_close_fn] (0x2000): >>> Terminated client [0x56353b9b65a0][18] >>> >>> What could be the root cause? >>> >>> -- >>> Peter >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WGE63YYFIHYZNI3YJBCPC52F3WXZHT5Z/ >> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WUAZLS2JM33PUXRBRWVNMOHTL4MAKPIY/