Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-24 Thread Pawel Fiuto
Unfortunately sudo package included in amzn linux does not work with sudo rules 
provided via SSS however it is in the feature requests list.
To workaround this you can replace it with the CentOS one: 
http://mirror.centos.org/centos/6.7/os/x86_64/Packages/sudo-1.8.6p3-19.el6.x86_64.rpm



From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on 
behalf of Alexander Bokovoy <aboko...@redhat.com>
Sent: 21 September 2015 20:40
To: Gustavo Mateus
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

On Mon, 21 Sep 2015, Gustavo Mateus wrote:
>Hi Alexander,
>
>Thank you very much for your help.
>Would it be possible for you to point me in the right direction on how to
>integrate this with sudo rules?
Please don't send emails personally unless asked to do that.

Your problem can be tracked with public mailing list.

>my sssd.conf looks like this:
>
>[sssd]
>services = nss, pam, ssh, sudo
>config_file_version = 2
>domains = default
>re_expression = (?P.+)
>
>[domain/default]
>cache_credentials = True
>id_provider = ldap
>auth_provider = ldap
>ldap_uri = ldap://ipaserver.my.domain.com
>ldap_search_base = cn=accounts,dc=my,dc=domain,dc=com
>ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
>ldap_user_ssh_public_key = ipaSshPubKey
>sudo_provider = ldap
>ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain,dc=com
>ldap_sudo_full_refresh_interval=86400
>ldap_sudo_smart_refresh_interval=3600
>debug_level=8
>
>[ssh]
>
>[sudo]
>debug_level=8
>
>
>and nsswitch.conf has this:
>
>sudoers:files sss
>
>
>
>My goal is to have freeipa as a replacement for the current openldap and
>hope that amazon linux supports it fully in the future. While they don't
>support it, I want to use as much as I can of centralized management that
>freeipa+sssd provides.
SSSD has own plugin for sudo integration that makes possible to cache
sudo rules via SSSD itself as opposed to use of sudo's LDAP plugin which
tries to talk to LDAP server directly.

You need to understand what features are provided by Amazon Linux's sudo
package. It may well be missing support for sudo plugins. I don't have
access to Amazon Linux source code, thus I cannot check whether their
sudo package supports external plugins.

So even if your sssd version includes sudo plugin, it may probably be
simply unused by your sssd version. Again, I have no idea how Amazon's
Linux AMI is built, thus it may miss this capability.

At this point I'd suggest you to investigate yourself and contact Amazon
support for finding out exactly what is happening there.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-21 Thread Gustavo Mateus
I used compat because that is what ipa-advise provided me. I did not pay
attention to that part.
And yes, that did the trick :)

Thank you very much
Gustavo

On Sun, Sep 20, 2015 at 8:51 AM, Jakub Hrozek  wrote:

> On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote:
> > On Sat, 19 Sep 2015, Jakub Hrozek wrote:
> > >
> > >>On 18 Sep 2015, at 19:17, Gustavo Mateus 
> wrote:
> > >>
> > >>That only shows this:
> > >>
> > >># extended LDIF
> > >>#
> > >># LDAPv3
> > >># base 

Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-21 Thread Jakub Hrozek
On Mon, Sep 21, 2015 at 10:40:07PM +0300, Alexander Bokovoy wrote:
> At this point I'd suggest you to investigate yourself and contact Amazon
> support for finding out exactly what is happening there.

It would be nice if Amazon actually packaged all the functionality RHEL
packages for several years :-)

But maybe there are some issues preventing them -- filing a support case
and asking them might go a long way. I'm sure if Amazon approached us on
this (or the -devel) list we'd be glad to work with them on any
technical issues..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-21 Thread Alexander Bokovoy

On Mon, 21 Sep 2015, Jakub Hrozek wrote:

On Mon, Sep 21, 2015 at 10:40:07PM +0300, Alexander Bokovoy wrote:

At this point I'd suggest you to investigate yourself and contact Amazon
support for finding out exactly what is happening there.


It would be nice if Amazon actually packaged all the functionality RHEL
packages for several years :-)

But maybe there are some issues preventing them -- filing a support case
and asking them might go a long way. I'm sure if Amazon approached us on
this (or the -devel) list we'd be glad to work with them on any
technical issues..

According to Amazon, they have issues with packaging Samba. I'd let them
to respond themselves, given they are the only ones who can respond on
why they are so insisting on not packaging Samba while providing one of
key infrastructure parts of AWS via Samba AD.

https://forums.aws.amazon.com/thread.jspa?threadID=164971
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-21 Thread Alexander Bokovoy

On Mon, 21 Sep 2015, Gustavo Mateus wrote:

Hi Alexander,

Thank you very much for your help.
Would it be possible for you to point me in the right direction on how to
integrate this with sudo rules?

Please don't send emails personally unless asked to do that.

Your problem can be tracked with public mailing list.


my sssd.conf looks like this:

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = default
re_expression = (?P.+)

[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ipaserver.my.domain.com
ldap_search_base = cn=accounts,dc=my,dc=domain,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
ldap_user_ssh_public_key = ipaSshPubKey
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain,dc=com
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
debug_level=8

[ssh]

[sudo]
debug_level=8


and nsswitch.conf has this:

sudoers:files sss



My goal is to have freeipa as a replacement for the current openldap and
hope that amazon linux supports it fully in the future. While they don't
support it, I want to use as much as I can of centralized management that
freeipa+sssd provides.

SSSD has own plugin for sudo integration that makes possible to cache
sudo rules via SSSD itself as opposed to use of sudo's LDAP plugin which
tries to talk to LDAP server directly.

You need to understand what features are provided by Amazon Linux's sudo
package. It may well be missing support for sudo plugins. I don't have
access to Amazon Linux source code, thus I cannot check whether their
sudo package supports external plugins.

So even if your sssd version includes sudo plugin, it may probably be
simply unused by your sssd version. Again, I have no idea how Amazon's
Linux AMI is built, thus it may miss this capability.

At this point I'd suggest you to investigate yourself and contact Amazon
support for finding out exactly what is happening there.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-20 Thread Jakub Hrozek
On Sat, Sep 19, 2015 at 06:32:40AM -0700, Gustavo Mateus wrote:
> I've already included that in the IPA permissions.
> Anonymous access to ipaSshPubKey is marked as public already. Read and
> Search is allowed.

as your ldapsearch proved, it's still not working. If you search the
server logs, you might see what exact attributes were requested and
whether they were permitted.

(Requesting just the single attribute might make the server logs a bit
more readable)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-20 Thread Jakub Hrozek
On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote:
> On Sat, 19 Sep 2015, Jakub Hrozek wrote:
> >
> >>On 18 Sep 2015, at 19:17, Gustavo Mateus  wrote:
> >>
> >>That only shows this:
> >>
> >># extended LDIF
> >>#
> >># LDAPv3
> >># base 

Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-19 Thread Jakub Hrozek

> On 18 Sep 2015, at 19:17, Gustavo Mateus  wrote:
> 
> That only shows this:
> 
> # extended LDIF
> #
> # LDAPv3
> # base 

Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-19 Thread Gustavo Mateus
I've already included that in the IPA permissions.
Anonymous access to ipaSshPubKey is marked as public already. Read and
Search is allowed.


On Sat, Sep 19, 2015 at 4:36 AM, Jakub Hrozek  wrote:

>
> > On 18 Sep 2015, at 19:17, Gustavo Mateus 
> wrote:
> >
> > That only shows this:
> >
> > # extended LDIF
> > #
> > # LDAPv3
> > # base 

Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-18 Thread Jakub Hrozek
On Thu, Sep 17, 2015 at 10:33:41AM -0700, Gustavo Mateus wrote:
> When I use id_provider=ipa I get:
> 
> [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2]

Ah, I think they simply don't package the IPA backend.

Time to file an RFE with Amazon? :-)

> 
> 
> Adding a [ssh] section with just "debug_level = 10"on it, I get:
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client
> creds: euid[174221] egid[174221] pid[6295].
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client
> connected!
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
> Received client version [0].
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
> Offered version [0].
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
> Requested domain []
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
> Parsing name [admin][]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain
> not provided!
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains]
> (0x0200): name 'admin' matched without domain, user is admin
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys]
> (0x0400): Requesting SSH user public keys for [admin] from []
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400):
> Issuing request for [0x40aba0:1:admin@default]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400):
> Creating request for [default][1][1][name=admin]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400):
> Entering request [0x40aba0:1:admin@default]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000):
> 0xd32ba0
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn:
> 0xd310f0
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000):
> Dispatching.
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got
> reply from Data Provider - DP error code: 0 errno: 0 error message: Success
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next]
> (0x0400): Requesting SSH user public keys for [admin@default]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain
> not provided!
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event
> "ltdb_callback": 0xd3f3b0
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event
> "ltdb_timeout": 0xd3f470
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event
> 0xd3f3b0 "ltdb_callback"
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer
> event 0xd3f470 "ltdb_timeout"
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event
> 0xd3f3b0 "ltdb_callback"
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400):
> Deleting request: [0x40aba0:1:admin@default]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client
> disconnected!
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000):
> Terminated client [0xd34eb0][17]
> 
> 
> 
> 
> ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb
> name=admin):
> 
> 
> asq: Unable to register control with rootdse!
> # record 1
> dn: name=admin,cn=users,cn=default,cn=sysdb
> createTimestamp: 1442509579
> fullName: Administrator
> gecos: Administrator
> gidNumber: 174220
> homeDirectory: /home/admin
> loginShell: /bin/bash
> name: admin
> objectClass: user
> uidNumber: 174220
> originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
> originalModifyTimestamp: 20150829000451Z
> entryUSN: 1428
> lastUpdate: 1442509579
> dataExpireTimestamp: 1442514979
> distinguishedName: name=admin,cn=users,cn=default,cn=sysdb

The communication between the ssh responder and the back end went fine.
I think I should have been more careful the first time around, looks
like the backend cannot find the attribute in LDAP (some ACI problems,
maybe?)

>From your earlier logs:
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]   

Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-18 Thread Gustavo Mateus
That only shows this:

# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-17 Thread Jakub Hrozek
On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote:
> Hi,
> 
> I have an IPA server running on redhat and I'm trying find the best way to
> get my amazon linux instances to use it for authentication, ssh key
> management and sudo rules.
> 
> I'm now trying to use SSSD to achieve those goals. Authentication is
> working but I'm having problems to get the user public ssh keys using
> /usr/bin/sss_ssh_authorizedkeys.
> 
> 
> This is my sssd.conf:
> 
> [sssd]
> services = nss, pam, ssh, sudo
> config_file_version = 2
> domains = default
> re_expression = (?P.+)
> 
> [domain/default]
> debug_level = 8
> cache_credentials = True
> id_provider = ldap
> auth_provider = ldap
> ldap_uri = ldap://ipa.my.domain.com
> ldap_search_base = cn=compat,dc=my,dc=domain,dc=com
> ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
> ldap_user_ssh_public_key = ipaSshPubKey
> 
> 
> The original configuration was done using ipa-advise ipa-advise
> config-redhat-sssd-before-1-9.

Is there any particular reason do keep doing this versus joining the
client to the domain and using id_provider=ipa ?

> I just hanged the services parameter to
> include "ssh, sudo" and "ldap_user_ssh_public_key"

I don't think sudo would work unless you authenticate the LDAP
connection.

> 
> When I run it on the client I get no response or error. Even running it in
> debug mode:
> 
> /usr/bin/sss_ssh_authorizedkeys admin --debug 10

I would check if:
- debug_level in the [ssh] section reveals anything. Is the ssh
  responder being contacted, are there any errors?
- check with ldbsearch (ldb-tools package) if there ssh key
  attribute is really fetched from IPA LDAP and is stored along the
  user entry

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-17 Thread Gustavo Mateus
When I use id_provider=ipa I get:

[sssd[be[default]]] [main] (0x0010): Could not initialize backend [2]


Adding a [ssh] section with just "debug_level = 10"on it, I get:

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client
creds: euid[174221] egid[174221] pid[6295].
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client
connected!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Received client version [0].
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Offered version [0].
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
Requested domain []
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
Parsing name [admin][]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain
not provided!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys]
(0x0400): Requesting SSH user public keys for [admin] from []
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x40aba0:1:admin@default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400):
Creating request for [default][1][1][name=admin]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x40aba0:1:admin@default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000):
0xd32ba0
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn:
0xd310f0
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000):
Dispatching.
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next]
(0x0400): Requesting SSH user public keys for [admin@default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain
not provided!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0xd3f3b0

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0xd3f470

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event
0xd3f3b0 "ltdb_callback"

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer
event 0xd3f470 "ltdb_timeout"

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event
0xd3f3b0 "ltdb_callback"

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x40aba0:1:admin@default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client
disconnected!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000):
Terminated client [0xd34eb0][17]




ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb
name=admin):


asq: Unable to register control with rootdse!
# record 1
dn: name=admin,cn=users,cn=default,cn=sysdb
createTimestamp: 1442509579
fullName: Administrator
gecos: Administrator
gidNumber: 174220
homeDirectory: /home/admin
loginShell: /bin/bash
name: admin
objectClass: user
uidNumber: 174220
originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
originalModifyTimestamp: 20150829000451Z
entryUSN: 1428
lastUpdate: 1442509579
dataExpireTimestamp: 1442514979
distinguishedName: name=admin,cn=users,cn=default,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals




Thanks,
Gustavo





On Thu, Sep 17, 2015 at 12:25 AM, Jakub Hrozek  wrote:

> On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote:
> > Hi,
> >
> > I have an IPA server running on redhat and I'm trying find the best way
> to
> > get my amazon linux instances to use it for authentication, ssh key
> > management and sudo rules.
> >
> > I'm now trying to use SSSD to achieve those goals. Authentication is
> > working but I'm having problems to get the user public ssh keys using
> > /usr/bin/sss_ssh_authorizedkeys.
> >
> >
> > This is my sssd.conf:
> >
> > [sssd]
> > services = nss, pam, ssh, sudo
> > config_file_version = 2
> > domains = default
> >