On Fri, Feb 28, 2020 at 05:44:38PM -0000, Mark L. Potter via FreeIPA-users
wrote:
> Greetings,
>
> I am implementing FreeIPA in a large environment ro replace OpenLDAP. I have
> the initial client configuration scripted as the machines are diskless and
> almost everything is working properly. However I cannot seem to FreeIPA
> managed user ssh keys working with sssd. I have been reading for a couple of
> days and haven't found the answer as of yet. Here is what I have discerned to
> be pertinent information. I will gladly add anything else that's necessary.
> When 'sss_ssh_authorizedkeys markp --debug 10' produces no output at all and
> no errors. I cannot ssh between hosts without entering a password or using
> authorized_keys.
>
> 'journalctl -u sssd' shows:
>
> Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 1
> Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 1
> Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 1
> Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 2
>
> OS: CentOS 7.4
> Packages: ipa-client-4.6.5-11.el7.centos.4.x86_64
> sssd-1.16.4-21.el7_7.1.x86_64
>
> sssd.conf:
Hi,
please add 'debug_level = 9' to the [domain/...] and [ssh] sections,
restart SSSD, run the sss_ssh_authorizedkeys command again and then send
the sssd_ssh.log and sssd_example.com.log files from /var/log/sssd.
bye,
Sumit
>
> [domain/example.com]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = host.example.com
> chpass_provider = ipa
> ipa_server = ipaserver.example.com
> ldap_tls_cacert = /etc/ipa/ca.crt
>
> [sssd]
> config_file_version = 2
> services = nss, sudo, pam, ssh
>
> domains = example.com
> [nss]
> homedir_substring = /home
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
> [secrets]
>
> [session_recording]
>
> openldap/ldap.conf
>
> # File modified by ipa-client-install
>
> TLS_CACERTDIR /etc/openldap/certs
>
> # Turning this off breaks GSSAPI used with krb5 when rdns = false
> SASL_NOCANON on
> URI ldaps://ipaserver.example.com
> BASE dc=dugeo,dc=com
> TLS_CACERT /etc/ipa/ca.crt
> SASL_MECH GSSAPI
>
> krb5.conf
>
> #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> dns_canonicalize_hostname = false
> ticket_lifetime = 24h
> forwardable = true
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
>
> [realms]
> EXAMPLE.COM = {
> kdc = ipaserver.example.com:88
> master_kdc = ipaserver.example.com:88
> admin_server = ipaserver.example.com:749
> kpasswd_server = ipaserver.example.com:464
> default_domain = example.com
> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>
> }
>
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
> host.example.com = EXAMPLE.COM
>
> I am hoping there's something simple that I am missing here, something I've
> overlooked or managed to just suck at library skills. Thanks in advance for
> any help.
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
