[Freeipa-users] Odd problem with SSSD and SSH keys

Thu Jan 16 17:57:03 UTC 2014

Here was the original sssd.conf. IPA created one, and I think in our 
early confusion over IPA, we created the other accidentally, and as we 
were trying to get puppet to enforce our system configs (we have a lot 
of developers who love to tinker with things they don't understand, 
which at this point includes me, I guess) we ended up postponing 
figuring out whether we could do away with the ".foo.net" one until today:

-------
[domain/foo.com]
cach_credentials = True
krb5_store_password_if_offline = True
ipa_domain = foo.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = zw129.foo.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
ldap_tls_cacert = /etc/ipa/ca.crt
[domain/.foo.com]

cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = FOO.COM
ipa_domain = .foo.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=com
dns_discovery_domain = .foo.com
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = .foo.com, foo.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

-----------

Bret

On 01/16/2014 12:47 PM, Jan Cholasta wrote:
> I'm glad that fixed it, but I would still be interested in what went 
> wrong. Could you tell me what was the difference between foo.com and 
> .foo.com domain configuration? I'm also curious how did such 
> configuration got into sssd.conf in the first place, 
> ipa-client-install should have created only one domain.
>
> On 16.1.2014 18:19, Bret Wortman wrote:
>> It did. I just needed the motivation to figure out which version was
>> correct. So I experimented on my own workstation this morning before
>> anyone else got in and rolled out a corrected version.
>>
>> Thanks for your help, everyone!
>>
>>
>> On 01/16/2014 11:52 AM, Jan Cholasta wrote:
>>> I think you can just comment out the whole [domain/] section in
>>> sssd.conf and restart sssd. Does that solve the problem? If not, could
>>> you please post your sssd.conf here?
>>>
>>> On 16.1.2014 11:21, Bret Wortman wrote:
>>>> Yes, though there should be only one. We ended up somehow with
>>>> foo.com and .foo.com and I'm not sure how to reduce us properly to
>>>> just foo.com.
>>>>
>>>>
>>>> Bret Wortman
>>>> http://bretwortman.com/
>>>> http://twitter.com/BretWortman
>>>>
>>>>> On Jan 16, 2014, at 4:42 AM, Jan Cholasta <jcholast at redhat.com> 
>>>>> wrote:
>>>>>
>>>>> OK, there is definitely something going on in the client then. Are
>>>>> there multiple domains configured in sssd.conf?
>>>>>
>>>>>> On 15.1.2014 13:56, Bret Wortman wrote:
>>>>>> The fingerprint does match.
>>>>>>
>>>>>>> On 01/15/2014 03:33 AM, Jan Cholasta wrote:
>>>>>>>
>>>>>>>
>>>>>>>> On 14.1.2014 12:34, Bret Wortman wrote:
>>>>>>>> The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA
>>>>>>>> for the
>>>>>>>> host in question. It should not have had any connectivity issues;
>>>>>>>> it's
>>>>>>>> co-located with several of our IPA masters.
>>>>>>>
>>>>>>> Can you also check if the MD5 fingerprint reported by ssh (e.g.
>>>>>>> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original
>>>>>>> post)
>>>>>>> matches the MD5 fingerprint for the host in IPA?
>>>>>
>>>>> -- 
>>>>> Jan Cholasta
>>>
>>>
>>
>>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140116/73ae210f/attachment.p7s>