I have FreeIPA installed on several types of Linux machines and they are
all experiencing strange issues with certificates and host keys.
Here is the setup:

Server : FreeIPA 4.1.2 on Centos 7
Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS 6.5
Client 3&4 : FreeIPA 4.1.2-1.el7 on Centos 7


First the FreeIPA clients running client 3.0.0 do not seem to be properly
getting their host keys from the server.  Whenever I ssh from one client
to another (or even to the IPA server itself) I am prompted to answer yes
or no to the host key.  The host keys are both listed in the host record
if I login to the domain controller web interface (and match what is on
the server), and the DNS SSHFP records exist also.

# sss_ssh_authorizedkeys --debug 10 admin
(Fri Mar 20 13:43:52:706986 2015) [sss_ssh_authorizedkeys] [main]
(0x0020): sss_ssh_get_ent() failed (2): No such file or directory
Error looking up public keys

I've seen some bug reports that this was a problem with sssd 1.10 but with
a recent (updated today) version of sssd 1.11 I would assume that is not
the issue?

The second issue is that whenver I join a FreeIPA 4.1.2 client, I can't
login with FreeIPA or AD users.  I believe this is due to the fact that
when I login to the domain controller web interface and look at the
freshly enrolled client it says "kerberos key present, host provisioned"
but the next line is "Status No Valid Certificate".  Unenrolling and
re-enrolling the client leads to the same issue with "No Valid
Certificate".

Here is a grep of my client install log filtered for 'certificate'.  I
don't see any errors.
2015-03-20T20:33:28Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpuZCwlm'
'-A' '-n' 'CA certificate 1' '-t' 'C,,'
2015-03-20T20:33:28Z DEBUG auth_certificate_callback: check_sig=True
is_server=False
2015-03-20T20:33:28Z DEBUG auth_certificate_callback: check_sig=True
is_server=False
2015-03-20T20:33:30Z DEBUG Adding CA certificates to the IPA NSS database.
2015-03-20T20:33:32Z DEBUG Attempting to add CA certificates to the
default NSS database.
2015-03-20T20:33:32Z INFO Added CA certificates to the default NSS database.
2015-03-20T20:33:32Z DEBUG auth_certificate_callback: check_sig=True
is_server=False



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to