On 7/18/2016 9:50 AM, Sumit Bose wrote:
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
On (16/07/16 10:19), Martin Štefany wrote:

Hello Sumit,

seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD
logs, but same problem: 'Error looking up public keys'.


Fedora 23 and fedora 24 has the same version of sssd
and almost the same version of openssh.
I have no idea what coudl broke it it there are not any AVCs.

Using debug_level 0x0250 ::

For troubleshooting, it would be better to see all
debug messages. (debug_level = 0xfff0)

Hello Lukas,

thanks for replying on this, here are debug_level = 0xfff0 messages


(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020):
CERT_VerifyCertificateNow failed [-8179].
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040):
cert_to_ssh_key failed.

-8179 translates to "Peer's certificate issuer is not recognized."
This means the CA certificate which signed the certificate on the
Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD.

Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb,
this might be the reason why you see this with F24.

To fix this please either add the needed CA certificates to
/etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the
[ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA
certificates to validate the Smartcard certificate.

Thank you!
Fixed for now by putting 'ca_db = /etc/ipa/nssdb' to the [ssh] section of sssd.conf, but CA certificate is actually the one from IPA CA, as this SSH key is generated from my userCertificate. Works like a charm.

Kind regards,

I'm working on a fix for SSSD to handle handle this change
automatically, but unfortunately it is not ready yet.



$ /usr/bin/sss_ssh_authorizedkeys martin
Error looking up public keys

And try to run strace with sss_ssh_authorizedkeys




Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to