When I use id_provider=ipa I get: [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2]
Adding a [ssh] section with just "debug_level = 10"on it, I get: (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client creds: euid[1742200001] egid[1742200001] pid[6295]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [<ALL>] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [admin][<ALL>] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain not provided! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [admin] from [<ALL>] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40aba0:1:admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [default][1][1][name=admin] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40aba0:1:admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0xd32ba0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0xd310f0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain not provided! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0xd3f3b0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xd3f470 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event 0xd3f3b0 "ltdb_callback" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0xd3f470 "ltdb_timeout" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0xd3f3b0 "ltdb_callback" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40aba0:1:admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000): Terminated client [0xd34eb0][17] ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb name=admin): asq: Unable to register control with rootdse! # record 1 dn: name=admin,cn=users,cn=default,cn=sysdb createTimestamp: 1442509579 fullName: Administrator gecos: Administrator gidNumber: 1742200000 homeDirectory: /home/admin loginShell: /bin/bash name: admin objectClass: user uidNumber: 1742200000 originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com originalModifyTimestamp: 20150829000451Z entryUSN: 1428 lastUpdate: 1442509579 dataExpireTimestamp: 1442514979 distinguishedName: name=admin,cn=users,cn=default,cn=sysdb # returned 1 records # 1 entries # 0 referrals Thanks, Gustavo On Thu, Sep 17, 2015 at 12:25 AM, Jakub Hrozek <[email protected]> wrote: > On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote: > > Hi, > > > > I have an IPA server running on redhat and I'm trying find the best way > to > > get my amazon linux instances to use it for authentication, ssh key > > management and sudo rules. > > > > I'm now trying to use SSSD to achieve those goals. Authentication is > > working but I'm having problems to get the user public ssh keys using > > /usr/bin/sss_ssh_authorizedkeys. > > > > > > This is my sssd.conf: > > > > [sssd] > > services = nss, pam, ssh, sudo > > config_file_version = 2 > > domains = default > > re_expression = (?P<name>.+) > > > > [domain/default] > > debug_level = 8 > > cache_credentials = True > > id_provider = ldap > > auth_provider = ldap > > ldap_uri = ldap://ipa.my.domain.com > > ldap_search_base = cn=compat,dc=my,dc=domain,dc=com > > ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt > > ldap_user_ssh_public_key = ipaSshPubKey > > > > > > The original configuration was done using ipa-advise ipa-advise > > config-redhat-sssd-before-1-9. > > Is there any particular reason do keep doing this versus joining the > client to the domain and using id_provider=ipa ? > > > I just hanged the services parameter to > > include "ssh, sudo" and "ldap_user_ssh_public_key" > > I don't think sudo would work unless you authenticate the LDAP > connection. > > > > > When I run it on the client I get no response or error. Even running it > in > > debug mode: > > > > /usr/bin/sss_ssh_authorizedkeys admin --debug 10 > > I would check if: > - debug_level in the [ssh] section reveals anything. Is the ssh > responder being contacted, are there any errors? > - check with ldbsearch (ldb-tools package) if there ssh key > attribute is really fetched from IPA LDAP and is stored along the > user entry > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
