On Wed, Mar 25, 2020 at 03:14:40PM +0100, Kevin Olbrich wrote:
> Hi!
>
> I'm new to SSSD and I try to connect SSSD to my AD to manage SSH access.
> I set up the attribute and class on AD schema master and I can fill
> keys using ADUC.
> I've also enabled the checkbox for GC sync. My client system is debian buster.
>
> I've joined a machine this way:
> realm discover EXAMPLE.COM
> realm join EXAMPLE.COM
>
> My /etc/sssd/sssd.conf:
> [sssd]
> domains = example.com
> services = nss, sudo, ssh, pam, autofs
> config_file_version = 2
> debug_level = 9
>
> [ssh]
> debug_level = 9
> ssh_use_certificate_keys = false
>
> [domain/example.com]
> debug_level = 9
> ad_domain = example.com
> krb5_realm = example.com
> realmd_tags = manages-system joined-with-adcli
> cache_credentials = False
> id_provider = ad
Hi,
the AD provider does not have the option ldap_user_ssh_public_key set by
default because there is not attribute for ssh keys in the AD schema.
Please add
ldap_user_ssh_public_key = sshPublicKey
and try again.
HTH
bye,
Sumit
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = False
> fallback_homedir = /home/%u@%d
> access_provider = simple
> simple_allow_groups = domänen-benutzer
>
> SSHD config contains:
> AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
> AuthorizedKeysCommandUser nobody
>
>
> I can successfully login using my AD account using my password. This
> works flawless.
> When I try to retrieve my SSH keys, it does not work:
> root@slde0009 ~ # sss_ssh_authorizedkeys --debug 9 kolbrich
> root@slde0009 ~ #
>
> Passwd works:
> root@slde0009 ~ # getent passwd kolbrich
> kolbrich:*:1753601104:1753600513:Kevin
> Olbrich:/home/[email protected]:/bin/bash
>
> sssd_example.com.log contains:
> (Wed Mar 25 14:36:53 2020) [sssd[be[example.com]]]
> [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for
> [[email protected]].
>
> LDAP looks fine:
> root@slde0009 ~ # ldapsearch -H ldap://192.168.81.1 -D
> [email protected] -b "dc=example,dc=com" -W -x
> '(objectClass=ldapPublicKey)' 'sshPublicKey'
> [...]
> # Kevin Olbrich, Users, DIT, MyBusiness, example.com
> dn: CN=Kevin Olbrich,OU=Users,OU=DIT,OU=MyBusiness,DC=example,DC=com
> sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClO6Jdbj7HffLDmAoXr/KU7IYn
> kL/DvJBodE2UdhzROkc6YNSq7Y4xcfS3wHLH8OtPupbIDURwH/XZw2dflwcjxkHgyDPIQzzA988VJ
> pZeT7DJ8AXx0VzZ0MfbIvksVja6eFgSbkvfU54zKloFFU0ml7UMh7WPwzY0kzhzjkiWnRLiTbERgg
> IeeuQCF5HZvqpIr15ss1R0DLWMsLDL32FmM7tqYQRR5DkbD1T8ALIH3VaTcJhkaiqgW6V27Ps6gK/
> lEQU9JKFNxfhqF+OsK+pngnC0uppw/r265rymfsHa1SfWQxhYRuxZxafldCnZYgMs9KzGK76pziDH
> v3rGErCL [email protected]
> [...]
>
> There are some howtos for this scenario but they work at this point :-P
>
> What am I doing wrong here?
>
> Thank you in advance!
>
> Kind regards
> Kevin
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
