We use sssd version 1.13.4 on our linux clients
A user from ipa successfully authorizes on a linux client via ssh without a
certificate. But then if we add a certificate - connection gets lost.
Please find logs in attached files
Thank you in advance

*Artem Golubev*
System Administrator
*(exp)capital limited*

On 20 March 2017 at 18:14, Lukas Slebodnik <lsleb...@redhat.com> wrote:

> On (20/03/17 16:39), Alexander Bokovoy wrote:
> >On ma, 20 maalis 2017, Artem Golubev wrote:
> >> Good day!
> >>
> >> We use freeipa server 4.3.1, we usually grant access via ssh keys to
> linux
> >> clients.
> >> We currently face the following issue with access on certificate: when
> we
> >> add certificate to user's account, user is not able to login via ssh.
> >> How can we solve this problem? We would like to have  a possibility to
> >> access linux clients via ssh keys and access to other resources using
> >> certificates.
> >You need to provide logs, obviously. Start with level 3 debug logs in
> >sshd, and debug_level=9 in sssd. Also show user's entry (as in 'ipa
> >user-show --raw --all username').
> >
> >When you access SSH with ssh keys, SSSD is involved in account and
> >session phases of PAM authentication. This means either user does not
> >exist to sshd (it would then don't exist on system level at all) or
> >something prevents session phase from success. In session phase SSSD
> >does verify HBAC rules, for example.
> >
> >See https://fedorahosted.org/sssd/wiki/Troubleshooting for
> >troubleshooting instructions.
> >
> The most important is to know version of sssd.
> Because one related bug is already fixed.
> https://pagure.io/SSSD/sssd/issue/2977
>
> LS
>

Attachment: sshd_log
Description: Binary data

Attachment: sssd_ssh_log
Description: Binary data

Attachment: user-show
Description: Binary data

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to