[Freeipa-users] FreeIPA - AD trust - SSH Public Keys

[Taras Drach]

Hello everyone!

I want to implement next scheme:

1. Use AD as place for user management
2. Store ssh public keys in AD
3. Use FreeIPA as sudo/hbac provider for AD groups for authentication and 
authorisation on the linux hosts
4. Use trusts roadmap (do not want to synchronise)

My configuration is:
AD domain - test.loc - windows server 2012 r2
IPA domain - ipa.test.loc - ipa-server 4.2.0 on centos 7 (ipa-server.x86_64     
   4.2.0-15.0.1.el7.centos.19  @updates)

At this moment everything fine except SSH public keys.

I tried to use override and it works fine (I can login to linux host with AD 
user with public key), but I have to create view in ipa for each user from AD. 
It is not my goal and its also create inconveniences.

I found that there are several ways to achieve desired configuration:
1. Extend AD scheme with sshPublicKey attribute
2. Use altSecurityIdentities attribute from AD

At this moment I can obtain ssh public key from ipa  for user by
sss_ssh_authorizedkeys -d ipa.test.loc user or
sss_ssh_authorizedkeys user, because ipa.test.loc is default domain

But I can’t receive key for AD user using this command
sss_ssh_authorizedkeys -d test.loc

At this moment I try to obtain key via altSecurityIdentities, and I see this 
key in sssd debug log when I run sss_ssh_authorizedkeys, but I can not see 
public key on stdout
Here is the part if log
-
Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [fo_set_port_status] (0x0400): 
Marking port 389 of duplicate server 'dc01.test.loc' as 'working'
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_id_op_connect_done] 
(0x4000): notify connected to op #1
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] 
[sdap_search_user_next_base] (0x0400): Searching for users with base 
[dc=test,dc=loc]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_print_server] 
(0x2000): Searching 10.100.0.148
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x0400): calling ldap_search_ext with 
[(&(sAMAccountName=rr)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=test,dc=loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [objectClass]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [sAMAccountName]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [unixUserPassword]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [uidNumber]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [gidNumber]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [gecos]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [unixHomeDirectory]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [loginShell]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [userPrincipalName]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [name]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [memberOf]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [objectGUID]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [objectSID]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [primaryGroupID]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [whenChanged]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [uSNChanged]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [accountExpires]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [userAccountControl]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [altSecurityIdentities]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] 
(0x2000): ldap_search_ext called, msgid = 5
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_op_add] (0x2000): New 
operation 5 timeout 6
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_id_op_connect_done] 
(0x4000): caching successful connection after 1 notifies
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] 
[be_run_unconditional_online_cb] (0x0400): Running unconditional online 
callbacks.
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [be_run_online_cb] 
(0x0080): Going online. Running callbacks.
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_result] 
(0x2000): Trace: sh[0x7f48ff3d7440], connected[1], ops[0x7f48ff3d5ce0], 
ldap[0x7f48ff3bf360]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_message] 
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_entry] 
(0x1000): OriginalDN: [CN=rr,CN=Users,DC=test,DC=loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [objectClass]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [whenChanged]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [uSNChanged]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [name]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [objectGUID]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [userAccountControl]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [primaryGroupID]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [objectSid]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [accountExpires]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [sAMAccountName]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [userPrincipalName]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] 
(0x2000): No sub-attributes for [altSecurityIdentities]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_result] 
(0x2000): Trace: sh[0x7f48ff3d7440], connected[1], ops[0x7f48ff3d5ce0], 
ldap[0x7f48ff3bf360]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_message] 
(0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] 
[sdap_get_generic_ext_add_references] (0x1000): Additional References: 
ldap://ForestDnsZones.test.loc/DC=ForestDnsZones,DC=test,DC=loc
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_result] 
(0x2000): Trace: sh[0x7f48ff3d7440], connected[1], ops[0x7f48ff3d5ce0], 
ldap[0x7f48ff3bf360]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_message] 
(0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] 
[sdap_get_generic_ext_add_references] (0x1000): Additional References: 
ldap://DomainDnsZones.test.loc/DC=DomainDnsZones,DC=test,DC=loc
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_result] 
(0x2000): Trace: sh[0x7f48ff3d7440], connected[1], ops[0x7f48ff3d5ce0], 
ldap[0x7f48ff3bf360]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_message] 
(0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] 
[sdap_get_generic_ext_add_references] (0x1000): Additional References: 
ldap://test.loc/CN=Configuration,DC=test,DC=loc
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_result] 
(0x2000): Trace: sh[0x7f48ff3d7440], connected[1], ops[0x7f48ff3d5ce0], 
ldap[0x7f48ff3bf360]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_message] 
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] 
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg 
set
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_op_destructor] 
(0x2000): Operation 5 finished
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] 
[generic_ext_search_handler] (0x4000): Request included referrals which were 
ignored.
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] 
[generic_ext_search_handler] (0x4000):     Ref: 
ldap://ForestDnsZones.test.loc/DC=ForestDnsZones,DC=test,DC=loc
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] 
[generic_ext_search_handler] (0x4000):     Ref: 
ldap://DomainDnsZones.test.loc/DC=DomainDnsZones,DC=test,DC=loc
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] 
[generic_ext_search_handler] (0x4000):     Ref: 
ldap://test.loc/CN=Configuration,DC=test,DC=loc
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_search_user_process] 
(0x0400): Search for users, returned 1 results.
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_search_user_process] 
(0x4000): Retrieved total 1 users
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [ldb] (0x4000): start ldb 
transaction (nesting: 0)
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x0400): 
Save user
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_primary_name] 
(0x0400): Processing object r...@test.loc
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x0400): 
Processing user r...@test.loc
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x1000): 
Mapping user [r...@test.loc] objectSID 
[S-1-5-21-237804563-1161820721-801220523-1106] to unix ID
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x2000): 
Adding originalDN [CN=rr,CN=Users,DC=test,DC=loc] to attributes of 
[r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x0400): 
Original memberOf is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): Adding original mod-Timestamp [20161103142350.0Z] to attributes of 
[r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x0400): 
Adding user principal [r...@slt.loc] to attributes of [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): shadowLastChange is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): shadowMin is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): shadowMax is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): shadowWarning is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): shadowInactive is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): shadowExpire is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): shadowFlag is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): krbLastPwdChange is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): krbPasswordExpiration is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): pwdAttribute is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): authorizedService is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): Adding adAccountExpires [9223372036854775807] to attributes of 
[r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): Adding adUserAccountControl [66048] to attributes of [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): nsAccountLock is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): authorizedHost is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): ndsLoginDisabled is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): ndsLoginExpirationTime is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): ndsLoginAllowedTimeMap is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): sshPublicKey is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): authType is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): userCertificate is not available for [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] 
(0x2000): Adding altSecurityIdentities 
[ssh-rsa\20AAAAB3NzaC1yc2EAAAADAQABAAABAQDQydFCKx/r5idp3U0EY0fMJdu0eHNuIc6xvZudQJm/mbf3TflLNH+mj/Jr7yQaPj0C6z7V8my+D0f6JK1cCntxfhLQto92xUZhhKoLHVO34f5DhC5etqZ4EtaD6j9QuXYc5U8GovHgzmdH+JSeIOSpSqFzTkFR6sSmhjypfCDPCP8JKHxwI9LJvfgCRv0qKJBjELhUpZYUW3Mrcpp+bJcX8Iuz0QPDkO2VdqIcwapC+h6AhdH+Sm6PjG8FplH6/5SDlQ2LOVTnY4xMuS48RXzgtJImN+o7syrxjPTQU5/PWXiIH/Hawa6n75kREv6B4AHtQKxqDoxhNdzQ1+xiLs4H\20u...@test.loc]
 to attributes of [r...@test.loc].
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sysdb_attrs_get_aliases] 
(0x2000): Domain is case-insensitive; will add lowercased aliases
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x0400): 
Storing info for user r...@test.loc
(Thu Nov  3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [ldb] (0x4000): start ldb 
transaction (nesting: 1)


Here is my sssd.conf for ipa domain

domain/ipa.test.loc]
debug_level = 0xfff0

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.test.loc
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa42.ipa.test.loc
chpass_provider = ipa
ipa_server = ipa42.ipa.test.loc
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
create_homedir = True
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_id_mapping = False

signature.asc
Description: Message signed with OpenPGP using GPGMail

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project