Thanks Rob your comment helped me. I'm putting the steps here just in case somebody needs it.
First Install IPA Client Get the rpm from centos site (see get.txt) # mkdir -p /opt/ipa && cd /opt/ipa # vi get.txt Paste the following http://mirror.centos.org/centos/6/os/x86_64/Packages/ipa-client-3.0.0-25.el6 .x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/autofs-5.0.5-73.el6.x86 _64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/certmonger-0.61-3.el6.x 86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/ipa-python-3.0.0-25.el6 .x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/keyutils-1.4-4.el6.x86_ 64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libcollection-0.6.0-9.e l6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libdhash-0.4.2-9.el6.x8 6_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libevent-1.4.13-4.el6.x 86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libgssglue-0.1-11.el6.x 86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libini_config-0.6.1-9.e l6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libipa_hbac-1.9.2-82.el 6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libipa_hbac-python-1.9. 2-82.el6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libldb-1.1.13-3.el6.x86 _64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libnl-1.1-14.el6.x86_64 .rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libpath_utils-0.2.1-9.e l6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libref_array-0.1.1-9.el 6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libsss_autofs-1.9.2-82. el6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libtalloc-2.0.7-2.el6.x 86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libtasn1-2.3-3.el6_2.1. x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libtdb-1.2.10-1.el6.x86 _64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libtevent-0.9.17-1.el6. x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libtiff-3.9.4-9.el6_3.x 86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libtirpc-0.2.1-5.el6.x8 6_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/nfs-utils-1.2.3-36.el6. x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/nfs-utils-lib-1.1.5-6.e l6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/oddjob-0.30-5.el6.x86_6 4.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/oddjob-mkhomedir-0.30-5 .el6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/pyOpenSSL-0.10-2.el6.x8 6_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/pytalloc-2.0.7-2.el6.x8 6_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/python-kerberos-1.1-6.2 .el6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/python-krbV-1.0.90-3.el 6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/python-ldap-2.3.10-1.el 6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/python-lxml-2.2.3-1.1.e l6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/python-netaddr-0.7.5-4. el6.noarch.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/python-nss-0.13-1.el6.x 86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/rpcbind-0.2.0-11.el6.x8 6_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/samba4-libs-4.0.0-55.el 6.rc4.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/sssd-1.9.2-82.el6.x86_6 4.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/sssd-client-1.9.2-82.el 6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/xmlrpc-c-1.16.24-1209.1 840.el6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/xmlrpc-c-client-1.16.24 -1209.1840.el6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/cups-libs-1.4.2-48.el6_ 3.3.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/cyrus-sasl-gssapi-2.1.2 3-13.el6_3.1.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/avahi-libs-0.6.25-12.el 6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/gnutls-2.8.5-10.el6.x86 _64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/bind-libs-9.8.2-0.17.rc 1.el6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libsss_idmap-1.9.2-82.e l6.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/libxslt-1.1.26-2.el6_3. 1.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/cyrus-sasl-lib-2.1.23-1 3.el6_3.1.x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/keyutils-libs-1.4-4.el6 .x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/krb5-libs-1.10.3-10.el6 .x86_64.rpm http://mirror.centos.org/centos/6/os/x86_64/Packages/c-ares-1.7.0-6.el6.x86_ 64.rpm # wget -i get.txt # rpm -ivh *.rpm --nodeps Get latest openssh from amazon repository to /opt # mkdir -p /opt/ssh # cd /opt/ssh # wget http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac kages/openssh-server-6.2p2-4.34.amzn1.x86_64.rpm # wget http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac kages/openssh-6.2p2-4.34.amzn1.x86_64.rpm # wget http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac kages/openssh-clients-6.2p2-4.34.amzn1.x86_64.rpm # rpm -Uvh *.rpm # yum update -y # ipa-client-install --server kdc1.iocs-systems.internal --server kdc2.iocs-systems.internal --domain IOCS-SYSTEMS.INTERNAL --fixed-primary --mkhomedir # vi /etc/ssh/sshd_config Add following lines at the end AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody # service sshd restart # mkdir -p /etc/selinux/targeted/logins That's it. Regards, Mohan > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Friday, October 04, 2013 2:03 PM > To: Mohan Cheema; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA client setup in AWS > > Mohan Cheema wrote: > > Hi, > > > > We are number of Amazon AMI (Amazon Linux) in AWS. As this is based > on > > RHEL we installed number of packages to enable user on those machine > to > > get authenticated against ipa. The client gets configured with below > > warning. > > > > ----------------------------------- > > WARNING Installed OpenSSH server does not support dynamically loading > > authorized user keys. Public key authentication of IPA users will not > be > > available. > > ----------------------------------- > > > > When user tries to authenticate the SSH connection is dropped, ipa > > server issues the authentication ticket to the machine. > > > > Packages that has been installed. > > > > ---------------------------------------------- > > ipa-python-3.0.0-25.el6.x86_64.rpm > > > > python-ldap-2.3.10-1.el6.x86_64.rpm > > > > cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64.rpm > > > > pam_krb5-2.3.11-9.el6.i686.rpm > > > > sssd-1.9.2-82.el6.x86_64.rpm > > > > certmonger-0.61-3.el6.x86_64.rpm > > > > oddjob-mkhomedir-0.30-5.el6.x86_64.rpm > > > > python-krbV-1.0.90-3.el6.x86_64.rpm > > > > libsss_autofs-1.9.2-82.el6.x86_64.rpm > > > > autofs-5.0.5-73.el6.x86_64.rpm > > > > nfs-utils-1.2.3-36.el6.x86_64.rpm > > > > sssd-client-1.9.2-82.el6.x86_64.rpm > > > > python-kerberos-1.1-6.2.el6.x86_64.rpm > > > > python-nss-0.13-1.el6.x86_64.rpm > > > > python-lxml-2.2.3-1.1.el6.x86_64.rpm > > > > python-netaddr-0.7.5-4.el6.noarch.rpm > > > > pyOpenSSL-0.10-2.el6.x86_64.rpm > > > > libipa_hbac-python-1.9.2-82.el6.x86_64.rpm > > > > libgssglue-0.1-11.el6.x86_64.rpm > > > > nfs-utils-lib-1.1.5-6.el6.x86_64.rpm > > > > rpcbind-0.2.0-11.el6.x86_64.rpm > > > > oddjob-0.30-5.el6.x86_64.rpm > > > > libipa_hbac-1.9.2-82.el6.x86_64.rpm > > > > libldb-1.1.13-3.el6.x86_64.rpm > > > > libsss_idmap-1.9.2-82.el6.x86_64.rpm > > > > libevent-1.4.13-4.el6.x86_64.rpm > > > > libtalloc-2.0.7-2.el6.x86_64.rpm > > > > keyutils-1.4-4.el6.x86_64.rpm > > > > libdhash-0.4.2-9.el6.x86_64.rpm > > > > libtirpc-0.2.1-5.el6.x86_64.rpm > > > > ipa-client-3.0.0-25.el6.x86_64.rpm > > > > libtevent-0.9.17-1.el6.x86_64.rpm > > > > libtdb-1.2.10-1.el6.x86_64.rpm > > > > libini_config-0.6.1-9.el6.x86_64.rpm > > > > libcollection-0.6.0-9.el6.x86_64.rpm > > > > libpath_utils-0.2.1-9.el6.x86_64.rpm > > > > libref_array-0.1.1-9.el6.x86_64.rpm > > > > c-ares-1.7.0-6.el6.x86_64.rpm > > > > samba4-libs-4.0.0-55.el6.rc4.x86_64.rpm > > > > libnl-1.1-14.el6.x86_64.rpm > > ---------------------------------------------- > > > > Are there any other package that need to be installed to make it > working. > > > > Below is the ssh version. > > > > # rpm -qa | grep ssh > > > > libssh2-1.4.2-1.10.amzn1.x86_64 > > > > openssh-6.2p2-4.34.amzn1.x86_64 > > > > openssh-clients-6.2p2-4.34.amzn1.x86_64 > > > > openssh-server-6.2p2-4.34.amzn1.x86_64 > > I'm guessing the problem is the Amazon-specific version of ssh. It > needs > to support one of these command combinations: > > AuthorizedKeysCommand and AuthorizedKeysCommandUser > AuthorizedKeysCommand and AuthorizedKeysCommandRunAs > PubKeyAgent and PubKeyAgentRunAs > > /var/log/ipaclient-install.log should contain the output of the probing > for this support. > > rob _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
