On Wed, Mar 25, 2020 at 03:14:40PM +0100, Kevin Olbrich wrote: > Hi! > > I'm new to SSSD and I try to connect SSSD to my AD to manage SSH access. > I set up the attribute and class on AD schema master and I can fill > keys using ADUC. > I've also enabled the checkbox for GC sync. My client system is debian buster. > > I've joined a machine this way: > realm discover EXAMPLE.COM > realm join EXAMPLE.COM > > My /etc/sssd/sssd.conf: > [sssd] > domains = example.com > services = nss, sudo, ssh, pam, autofs > config_file_version = 2 > debug_level = 9 > > [ssh] > debug_level = 9 > ssh_use_certificate_keys = false > > [domain/example.com] > debug_level = 9 > ad_domain = example.com > krb5_realm = example.com > realmd_tags = manages-system joined-with-adcli > cache_credentials = False > id_provider = ad
Hi, the AD provider does not have the option ldap_user_ssh_public_key set by default because there is not attribute for ssh keys in the AD schema. Please add ldap_user_ssh_public_key = sshPublicKey and try again. HTH bye, Sumit > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = True > use_fully_qualified_names = False > fallback_homedir = /home/%u@%d > access_provider = simple > simple_allow_groups = domänen-benutzer > > SSHD config contains: > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > AuthorizedKeysCommandUser nobody > > > I can successfully login using my AD account using my password. This > works flawless. > When I try to retrieve my SSH keys, it does not work: > root@slde0009 ~ # sss_ssh_authorizedkeys --debug 9 kolbrich > root@slde0009 ~ # > > Passwd works: > root@slde0009 ~ # getent passwd kolbrich > kolbrich:*:1753601104:1753600513:Kevin > Olbrich:/home/kolbr...@example.com:/bin/bash > > sssd_example.com.log contains: > (Wed Mar 25 14:36:53 2020) [sssd[be[example.com]]] > [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for > [kolbr...@example.com]. > > LDAP looks fine: > root@slde0009 ~ # ldapsearch -H ldap://192.168.81.1 -D > administra...@example.com -b "dc=example,dc=com" -W -x > '(objectClass=ldapPublicKey)' 'sshPublicKey' > [...] > # Kevin Olbrich, Users, DIT, MyBusiness, example.com > dn: CN=Kevin Olbrich,OU=Users,OU=DIT,OU=MyBusiness,DC=example,DC=com > sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClO6Jdbj7HffLDmAoXr/KU7IYn > kL/DvJBodE2UdhzROkc6YNSq7Y4xcfS3wHLH8OtPupbIDURwH/XZw2dflwcjxkHgyDPIQzzA988VJ > pZeT7DJ8AXx0VzZ0MfbIvksVja6eFgSbkvfU54zKloFFU0ml7UMh7WPwzY0kzhzjkiWnRLiTbERgg > IeeuQCF5HZvqpIr15ss1R0DLWMsLDL32FmM7tqYQRR5DkbD1T8ALIH3VaTcJhkaiqgW6V27Ps6gK/ > lEQU9JKFNxfhqF+OsK+pngnC0uppw/r265rymfsHa1SfWQxhYRuxZxafldCnZYgMs9KzGK76pziDH > v3rGErCL k...@sv01.de > [...] > > There are some howtos for this scenario but they work at this point :-P > > What am I doing wrong here? > > Thank you in advance! > > Kind regards > Kevin > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org