Hi Stefan, Thanks for this guide and I tried to do as what indicated on your guide. But I couldn't get it work.
May I know what setup did you do on your FreeIPA server? Also, using the script that you provide: :::::::::::::: /opt/local/bin/ssh-ldap-pubkey-wrapper.sh :::::::::::::: #!/bin/bash /opt/local/bin/ldapsearch -LLL -x -u \ -o ldif-wrap=no \ -h ipatest.g <http://ipaserver.example.com/>rcph.local \ -D "uid=admin,cn=sysaccounts,cn=etc,dc=grcph,dc=local" \ -w "password" \ -b "dc=grcph,dc=local" \ '(&(objectClass=posixAccount)(uid='"$1"'))' \ ipaSshPubKey | sed -n 's/^[ \t]*ipaSshPubKey:[ \t]*\(.*\)/\1/p' Modified it and try to run, it doesn't return any output: [image: Inline image 1] Thanks and Regards, Joven D. Please consider the environment before printing this email. ------------------------------------------------------------ ------------------------ Confidentiality Notice | This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential or proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, immediately contact the sender by reply e-mail and destroy all copies of the original message. On Thu, Nov 2, 2017 at 5:59 AM, Stefan Eestermans <ste...@optaris.be> wrote: > Hello > > I've been fighting with FreeIPA and SmartOS for while now and had this > sorted out. It's just that there is no sssd for SmartOS and hence it > doesn't work out of the box. > > Normally, it shouldn't be to hard to get it working once you have the ldap > client on SmartOS connected to the FreeIPA directory server. I'll paste > here below a recent post of my new blog (https://blog.soholabs.org), > dedicated to SmartOS and related technologies as a lab environment. > > So, if I understood the situation well: the SmartOS LDAP client is up and > running and is communicating with the FreeIPA directory server, but ssh > doesn't seem to take into account the public keys that are stored in the > directory server. > > In order to facilitate this, you have to make sure that the ssh daemon is > able to obtain these keys from the directory server. In comparison, the two > lines of importance in the /etc/ssh/sshd_config file on a CentOS FreeIPA > client installation are: > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > AuthorizedKeysCommandUser nobody > > The AuthorizedKeysCommand parameter refers to the command that obtains the > public keys from the directory server. Unfortunately there is no equivalent > binary on SmartOS because it lacks the sssd software on the client side. > > Luckily, it is not much of an issue because it is rather easy for an LDAP > client to obtain this information from the directory server. While there > are certainly a variety of solutions available on the Internet, at first > sight I found them often too sophisticated for what I needed. So, I decided > to limit the solution to a bash script file that encapsulates a ldapsearch > command which will fetch the public keys from the directory server. > > These few lines here below are enough to fetch the keys and to make sed > print only the information needed: the user's public keys. > > > :::::::::::::: > /opt/local/bin/ssh-ldap-pubkey-wrapper.sh > :::::::::::::: > #!/bin/bash > > /opt/local/bin/ldapsearch -LLL -x -u \ > -o ldif-wrap=no \ > -h ipaserver.example.com \ > -D "uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \ > -w "strongPassword" \ > -b "dc=example,dc=com" \ > '(&(objectClass=posixAccount)(uid='"$1"'))' \ > ipaSshPubKey | sed -n 's/^[ \t]*ipaSshPubKey:[ \t]*\(.*\)/\1/p' > > We use the uid=solaris,cn=sysaccounts,cn=etc account with the > strongPassword (literally) to avoid that we have to expose any user > account's credentials in the script file. > > This script takes one argument, which is the "user" who makes the ssh > login. As we will see later on, the sshd_config file allows to refer to the > user via %u. Make sure the script has the execution bits set and give it a > try with a user name defined in the directory server. This command should > list the public keys of user1: > > /opt/local/bin/ssh-ldap-pubkey-wrapper.sh user1 > > Once the script provides the public keys as expected, we can integrate it > in the sshd_config file. Find the line with AuthorizedKeysCommand or add > following lines to /etc/ssh/sshd_config: > > AuthorizedKeysCommand /opt/local/bin/ssh-ldap-pubkey-wrapper.sh %u > AuthorizedKeysCommandUser nobody > > To take this configuration change into account we have to restart the ssh > daemon with the command: > > sudo svcadm restart ssh > > While making the first connection attempts via ssh, it might be valuable > to keep an eye on the log file on the ssh target system for more > information in case of connection failures. > > sudo tail -f /var/log/authlog > > Make sure the user has its home directory available on the target system. > That's all it takes to ssh login without password and without any local > ~/.ssh/authorized_keys file. > > Beware, locally provided public keys in ~/.ssh/authorized_keys will still > allow the user to ssh-login. This procedure is facilitating ssh-login based > on public keys stored in the directory server, but it is not limiting > access to these public keys. Other sshd_config changes are needed to > enforce this. > > kind regards > > Stefan > > > On 03/10/17 06:06, Shridhar Daithankar wrote: > >> On Monday 2 October 2017 11:57:34 AM IST Joven Sabanal wrote: >> >>> Hi, >>> >>> I'm trying to connect SmartOS Zone VM on FreeIPA but I cannot get it >>> work. >>> I use this link as reference. >>> >>> https://www.redhat.com/archives/freeipa-users/2014-April/msg00128.html >>> >>> I follow on what's indicated on the link. I only register the Zone VM to >>> FreeIPA domain. I can see also that the VM is connection to the domain by >>> running "ldaplist". >>> >>> Problem now is when I try to login using SSH and use the user that I >>> created on FreeIPA, it cannot login. >>> >>> Anyone did try the same setup as mine? >>> >>> Appreciate any advice and recommendation. Thanks in advanced. >>> >> Adding a me too here. I can join lxc containers to AD domain using >> sssd(realm >> join etc.) in a jiffy but SmartOS lx branded zones are unable to join the >> AD. >> >> I could threw in the hand-made kerberos authentication configuration and >> create the users by hand, so not much was lost. but sssd definitely didn't >> work and I couldn't spend much time investigating it either. >> >> > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#m_1678509979913774939_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
