Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
I used compat because that is what ipa-advise provided me. I did not pay attention to that part. And yes, that did the trick :) Thank you very much Gustavo On Sun, Sep 20, 2015 at 8:51 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote: > > On Sat, 19 Sep 2015, Jakub Hrozek wrote: > > > > > >>On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mat...@gmail.com> > wrote: > > >> > > >>That only shows this: > > >> > > >># extended LDIF > > >># > > >># LDAPv3 > > >># base
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
I've already included that in the IPA permissions. Anonymous access to ipaSshPubKey is marked as public already. Read and Search is allowed. On Sat, Sep 19, 2015 at 4:36 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mat...@gmail.com> > wrote: > > > > That only shows this: > > > > # extended LDIF > > # > > # LDAPv3 > > # base
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
That only shows this: # extended LDIF # # LDAPv3 # base
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
When I use id_provider=ipa I get: [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2] Adding a [ssh] section with just "debug_level = 10"on it, I get: (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client creds: euid[174221] egid[174221] pid[6295]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [admin][] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain not provided! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [admin] from [] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40aba0:1:admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [default][1][1][name=admin] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40aba0:1:admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0xd32ba0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0xd310f0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain not provided! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0xd3f3b0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xd3f470 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event 0xd3f3b0 "ltdb_callback" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0xd3f470 "ltdb_timeout" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0xd3f3b0 "ltdb_callback" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40aba0:1:admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000): Terminated client [0xd34eb0][17] ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb name=admin): asq: Unable to register control with rootdse! # record 1 dn: name=admin,cn=users,cn=default,cn=sysdb createTimestamp: 1442509579 fullName: Administrator gecos: Administrator gidNumber: 174220 homeDirectory: /home/admin loginShell: /bin/bash name: admin objectClass: user uidNumber: 174220 originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com originalModifyTimestamp: 20150829000451Z entryUSN: 1428 lastUpdate: 1442509579 dataExpireTimestamp: 1442514979 distinguishedName: name=admin,cn=users,cn=default,cn=sysdb # returned 1 records # 1 entries # 0 referrals Thanks, Gustavo On Thu, Sep 17, 2015 at 12:25 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote: > > Hi, > > > > I have an IPA server running on redhat and I'm trying find the best way > to > > get my amazon linux instances to use it for authentication, ssh key > > management and sudo rules. > > > > I'm now trying to use SSSD to achieve those goals. Authentication is > > working but I'm having problems to get the user public ssh keys using > > /usr/bin/sss_ssh_authorizedkeys. > &g
[Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
Hi, I have an IPA server running on redhat and I'm trying find the best way to get my amazon linux instances to use it for authentication, ssh key management and sudo rules. I'm now trying to use SSSD to achieve those goals. Authentication is working but I'm having problems to get the user public ssh keys using /usr/bin/sss_ssh_authorizedkeys. This is my sssd.conf: [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = default re_expression = (?P.+) [domain/default] debug_level = 8 cache_credentials = True id_provider = ldap auth_provider = ldap ldap_uri = ldap://ipa.my.domain.com ldap_search_base = cn=compat,dc=my,dc=domain,dc=com ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt ldap_user_ssh_public_key = ipaSshPubKey The original configuration was done using ipa-advise ipa-advise config-redhat-sssd-before-1-9. I just hanged the services parameter to include "ssh, sudo" and "ldap_user_ssh_public_key" When I run it on the client I get no response or error. Even running it in debug mode: /usr/bin/sss_ssh_authorizedkeys admin --debug 10 ipaSshPubKey is already public in the IPA permissions. The ssd_default.log on the client shows this when I run it (debug_level = 8): (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=admin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [be_req_set_domain] (0x0400): Changing request domain from [default] to [default] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=compat,dc=my,dc=domain,dc=com] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_print_server] (0x2000): Searching 10.0.0.2 (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0][cn=compat,dc=my,dc=domain,dc=com]. (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed Sep 16 18:13:36 2015)
Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd
I did not try that setup because the config-redhat-sssd-before-1-9 because its description says it works with version 1.5 - 1.8, and Amazon linux has 1.2 config-redhat-sssd-before-1-9: Instructions for configuring a system with an old version of SSSD (1.5-1.8) as a IPA client. This set of instructions is targeted for platforms that include the authconfig utility, which are all Red Hat based platforms. It is good to know that it works. I'll give it a try. Thanks, Gustavo On Mon, Sep 14, 2015 at 7:01 AM, Pawel Fiuto <pawel.fi...@mixrad.io> wrote: > Hi Gustavo, > > Using settings from 'ipa-advise config-redhat-sssd-before-1-9' with below > modifications seems to work quite well: > > - on ipa server add permisson to read ipaSshPubKey anonymously: > > [ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user > --attrs=ipaSshPubKey --bindtype=anonymous --permissions=read > > [ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig > 2c2 > < services = nss, pam, ssh > --- > > services = nss, pam > 12c12 > < ldap_search_base = cn=accounts,dc=example,dc=org > --- > > ldap_search_base = cn=compat,dc=example,dc=org > 14d13 > < ldap_user_ssh_public_key = ipaSshPubKey > > > > -- > *From:* freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> > on behalf of Gustavo Mateus <gustavo.mat...@gmail.com> > *Sent:* 11 September 2015 00:30 > *To:* freeipa-users@redhat.com > *Subject:* [Freeipa-users] AuthorizedKeysCommand for clients using > nss-pam-ldapd > > Hi, > > I'm trying to setup my Amazon Linux instances to be able to fetch the IPA > users public ssh key. > > Do I have to setup a binddn and bindpw in the ldap.conf file and use > /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? > > Thanks, > Gustavo > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd
Hi, I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users public ssh key. Do I have to setup a binddn and bindpw in the ldap.conf file and use /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? Thanks, Gustavo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client on aws (amazon linux)
I think I'll go with ipa-advise for now since my main goal is to move away from openldap and allow AD users to ssh into my linux boxes. And eventually, when AWS decides to finally include ipa-client in amazon linux, I move to that approach. On Wed, Sep 2, 2015 at 12:36 AM, Lukas Slebodnikwrote: > On (02/09/15 12:58), Prashant Bapat wrote: > >Lukas, > > > >ipa-client-install is part of the freeipa-client rpm. On Amazon Linux this > >rpm cannot be installed. This is the basic issue. > > > Indeed. > there is a strict requires for sssd > > Requires: sssd >= 1.12.3 #from fedora spec file > > Using ipa-advise might be more comfortable way rather then > patch spec file or create modified rpms. > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client on aws (amazon linux)
Hi, Does anyone have an updated list of packages or installation steps to get the ipa-client properly installed on an Amazon Linux (2015.03.1 to be more precise). I plan to use Red Hat as my ipa-server but the clients need to be Amazon Linux. Thanks, Gustavo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project