> On Tue, Mar 24, 2020 at 02:20:17PM -0000, Hristina Marosevic wrote:
>
> Hi,
>
> did you change the 'ca_db' option in sssd.conf? If looks like a wrong
> path '/home/oracle' is used for the NSS database.
>
> bye,
> Sumit
Hello,
It was anold configuration - thank you for noticing!
After deleting the ca_db option value from the sssd configuration i.e. now,
when it has the default value - /etc/pki/nssdb user authentication passed
successfully.
/var/log/sssd/sssd_ssh.log
...
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] (0x1000): Waiting
for child [20372].
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] (0x0100): child
[20372] finished successfully.
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [cert_to_ssh_key_done] (0x1000):
Certificate
[MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVo
q80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCCsGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sK
v2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=]
is valid.
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [ssh_protocol_done] (0x4000): Sending
reply: success
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [client_recv] (0x0200): Client
disconnected!
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [client_close_fn] (0x2000): Terminated
client [0x561dbac3a190][18]
p11_child-log
# log file 2...
write(2, "(Wed Mar 25 11:34:44 2020) [[sssd[p11_child[20372]]]] [do_work]
(0x0400): Certificate is valid.\n", 96) = 96
# log file 1...
write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] (0x1000):
Waiting for child [20372].\n", 96) = 96
wait4(20372, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG, NULL) = 20372
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] (0x0100):
child [20372] finished successfully.\n", 106) = 106
close(19) = 0
close(22) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [cert_to_ssh_key_done]
(0x1000): Certificate
[MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DV
nBj5eQVdVoq80UGgwHQYDVR0OBBYEFLoJ735"..., 2217) = 2217
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [ssh_protocol_done] (0x4000):
Sending reply: success\n", 92) = 92
epoll_ctl(0, EPOLL_CTL_ADD, 18, {EPOLLOUT|EPOLLERR|EPOLLHUP, {u32=3133374048,
u64=94685687414368}}) = 0
rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER, 0x7f78689db630}, NULL, 8) = 0
epoll_wait(0, [{EPOLLIN, {u32=3133299888, u64=94685687340208}}], 1, 2897) = 1
read(3, "\1\0\0\0\0\0\0\0", 8) = 8
epoll_wait(0, [{EPOLLOUT, {u32=3133374048, u64=94685687414368}}], 1, 2897) = 1
sendto(18,
"O\1\0\0\341\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\24\0\0\0IIN32000000001@ldap\0\27\1\0\0\0\0\0\7ssh-rsa\0\0\0\3\1\0\1\0\0\1\1\0\217d^\332\27127N?\356\256zW\355\206\306\3368P\253\214\364\35\312\226\360\2208\10\241\2534\347\201I\274\241\340}\177Z\245Q\357l\312\315+\277\332\264S\33~\273\365\203\26\313\250Y\7>\316\177\273gC\243\201\226ff\3\34\205\222E\24\325\225Q(TrU`s\231?\30\250\350\336\265\326\230\22\276\37\365\310\316Wm\204J\323\311\n\27\231\233,\214D\303\255\22507\331\324;\255`Kr:d,T\31\204\211\333\234~IPA.\211T\312]\236q\r\34\351,%M\307\365E\310\274G\200\370\337\277I\2268jw\265P\201E\211\346[\3776\244\347/`d-H\226\354/\322\362\"\313\211YSs%d\32\332\376
\254\327\3678+\226;\254\10\210\366\211rv\r\266\364m4p\255{\23\342p\236\342h)\240\217\30\26\261B\202\311\245H\24\331\376I8\21\363\\\345\347\331k\231\360\303",
335, 0, NULL, 0) = 335
epoll_ctl(0, EPOLL_CTL_DEL, 18, 0x7ffe7f9b7d50) = 0
epoll_ctl(0, EPOLL_CTL_ADD, 18, {EPOLLIN|EPOLLERR|EPOLLHUP, {u32=3133374048,
u64=94685687414368}}) = 0
epoll_wait(0, [{EPOLLIN|EPOLLHUP, {u32=3133374048, u64=94685687414368}}], 1,
2887) = 1
recvfrom(18, "", 1536, 0, NULL, NULL) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [client_recv] (0x0200): Client
disconnected!\n", 84) = 84
epoll_ctl(0, EPOLL_CTL_DEL, 18, 0x7ffe7f9b7cf0) = 0
close(18) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [client_close_fn] (0x2000):
Terminated client [0x561dbac3a190][18]\n", 106) = 106
epoll_wait(0, [], 1, 2764) = 0
epoll_wait(0, 0x7ffe7f9b7e30, 1, 10000) = -1 EINTR (Interrupted system call)
--- SIGRT_2 {si_signo=SIGRT_2, si_code=SI_TIMER, si_timerid=0, si_overrun=0,
si_value={int=1828663392, ptr=0x7f786cff3060}} ---
rt_sigreturn({mask=[INT FPE USR1 USR2 PIPE]}) = -1 EINTR (Interrupted system
call)
epoll_wait(0, <detached ...>
During user authentication, /var/log/sssd/sssd_LDAP.log logged successful
mapping of the user certificate to the attributes of the specific user and a
successful authentication.
Also, /usr/bin/sss_ssh_authorizedkeys IIN32000000001 after loging out the user
outputed the pulic key of the user IIN32000000001 and the
/var/log/sssd/sssd_ssh.log logged valid certificate.
Thank you!!
Next step is to try authentication with expired certificate. If I approach some
problems, I will let you know.
BR,
Hristina M.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
