Re: [Freeipa-users] Certificate Access issue
Guys, we have updated the system to 1.15.0 version and this fixed the issue Thank you all ;-) *Artem Golubev* System Administrator *(exp)capital limited* On 21 March 2017 at 19:26, Artem Golubev <artem.golu...@expcapital.com> wrote: > yep, Ubuntu 16.04.2 > > *Artem Golubev* > System Administrator > *(exp)capital limited* > > On 21 March 2017 at 19:13, Vasily Yanov <vasily.ya...@expcapital.com> > wrote: > >> Hi Lukas, >> >> You are right :) Ubuntu 16.04. >> >> -Original Message- >> From: Lukas Slebodnik [mailto:lsleb...@redhat.com] >> Sent: Tuesday, March 21, 2017 7:03 PM >> To: Alexander Bokovoy <aboko...@redhat.com> >> Cc: freeipa-users@redhat.com; Artem Golubev <artem.golu...@expcapital.com >> >; IT Team <i...@expcapital.com> >> Subject: Re: [Freeipa-users] Certificate Access issue >> >> On (21/03/17 17:35), Alexander Bokovoy wrote: >> >On ti, 21 maalis 2017, Lukas Slebodnik wrote: >> >> On (21/03/17 16:29), Alexander Bokovoy wrote: >> >> > On ti, 21 maalis 2017, Artem Golubev wrote: >> >> > > We use sssd version 1.13.4 on our linux clients A user from ipa >> >> > > successfully authorizes on a linux client via ssh without a >> >> > > certificate. But then if we add a certificate - connection gets >> lost. >> >> > If Lukas is correct, 1.13.4 does not have the fix for broken >> >> > certificate-as-ssh public key: >> >> > >> >> It has. >> >> https://pagure.io/SSSD/sssd/issue/2977#comment-222198 >> >> https://pagure.io/SSSD/sssd/c/4dbb3bec93cda57e8336847dff0822f31425004 >> >> d >> >> >> >> It will be part of upstream release 1.13.5 >> >That's my point -- it is *not* part of 1.13.4, therefore, this is the >> >problem Artem sees. >> > >> >Artem, what is your Linux distribution? Can you move to a newer version? >> > >> I would gues ubuntu :-) >> >> You might file a bug to your distribution to backport patch from the >> ticket https://pagure.io/SSSD/sssd/issue/2977 >> >> LS >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate Access issue
yep, Ubuntu 16.04.2 *Artem Golubev* System Administrator *(exp)capital limited* On 21 March 2017 at 19:13, Vasily Yanov <vasily.ya...@expcapital.com> wrote: > Hi Lukas, > > You are right :) Ubuntu 16.04. > > -Original Message- > From: Lukas Slebodnik [mailto:lsleb...@redhat.com] > Sent: Tuesday, March 21, 2017 7:03 PM > To: Alexander Bokovoy <aboko...@redhat.com> > Cc: freeipa-users@redhat.com; Artem Golubev <artem.golu...@expcapital.com>; > IT Team <i...@expcapital.com> > Subject: Re: [Freeipa-users] Certificate Access issue > > On (21/03/17 17:35), Alexander Bokovoy wrote: > >On ti, 21 maalis 2017, Lukas Slebodnik wrote: > >> On (21/03/17 16:29), Alexander Bokovoy wrote: > >> > On ti, 21 maalis 2017, Artem Golubev wrote: > >> > > We use sssd version 1.13.4 on our linux clients A user from ipa > >> > > successfully authorizes on a linux client via ssh without a > >> > > certificate. But then if we add a certificate - connection gets > lost. > >> > If Lukas is correct, 1.13.4 does not have the fix for broken > >> > certificate-as-ssh public key: > >> > > >> It has. > >> https://pagure.io/SSSD/sssd/issue/2977#comment-222198 > >> https://pagure.io/SSSD/sssd/c/4dbb3bec93cda57e8336847dff0822f31425004 > >> d > >> > >> It will be part of upstream release 1.13.5 > >That's my point -- it is *not* part of 1.13.4, therefore, this is the > >problem Artem sees. > > > >Artem, what is your Linux distribution? Can you move to a newer version? > > > I would gues ubuntu :-) > > You might file a bug to your distribution to backport patch from the > ticket https://pagure.io/SSSD/sssd/issue/2977 > > LS > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate Access issue
We use sssd version 1.13.4 on our linux clients A user from ipa successfully authorizes on a linux client via ssh without a certificate. But then if we add a certificate - connection gets lost. Please find logs in attached files Thank you in advance *Artem Golubev* System Administrator *(exp)capital limited* On 20 March 2017 at 18:14, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (20/03/17 16:39), Alexander Bokovoy wrote: > >On ma, 20 maalis 2017, Artem Golubev wrote: > >> Good day! > >> > >> We use freeipa server 4.3.1, we usually grant access via ssh keys to > linux > >> clients. > >> We currently face the following issue with access on certificate: when > we > >> add certificate to user's account, user is not able to login via ssh. > >> How can we solve this problem? We would like to have a possibility to > >> access linux clients via ssh keys and access to other resources using > >> certificates. > >You need to provide logs, obviously. Start with level 3 debug logs in > >sshd, and debug_level=9 in sssd. Also show user's entry (as in 'ipa > >user-show --raw --all username'). > > > >When you access SSH with ssh keys, SSSD is involved in account and > >session phases of PAM authentication. This means either user does not > >exist to sshd (it would then don't exist on system level at all) or > >something prevents session phase from success. In session phase SSSD > >does verify HBAC rules, for example. > > > >See https://fedorahosted.org/sssd/wiki/Troubleshooting for > >troubleshooting instructions. > > > The most important is to know version of sssd. > Because one related bug is already fixed. > https://pagure.io/SSSD/sssd/issue/2977 > > LS > sshd_log Description: Binary data sssd_ssh_log Description: Binary data user-show Description: Binary data -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Certificate Access issue
Good day! We use freeipa server 4.3.1, we usually grant access via ssh keys to linux clients. We currently face the following issue with access on certificate: when we add certificate to user's account, user is not able to login via ssh. How can we solve this problem? We would like to have a possibility to access linux clients via ssh keys and access to other resources using certificates. Hope to receive a reply from you soon. Best regards. ** *Artem Golubev* System Administrator *(exp)capital limited* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project