[Freeipa-users] Certificate and key problems in Linux

Dmitri Pal dpal at redhat.com
Fri Mar 20 21:24:12 UTC 2015 

On 03/20/2015 04:51 PM, nathan at nathanpeters.com wrote:
> I have FreeIPA installed on several types of Linux machines and they are
> all experiencing strange issues with certificates and host keys.
> Here is the setup:
>
> Server : FreeIPA 4.1.2 on Centos 7
> Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS 6.5
> Client 3&4 : FreeIPA 4.1.2-1.el7 on Centos 7
>
>
> First the FreeIPA clients running client 3.0.0 do not seem to be properly
> getting their host keys from the server.  Whenever I ssh from one client
> to another (or even to the IPA server itself) I am prompted to answer yes
> or no to the host key.  The host keys are both listed in the host record
> if I login to the domain controller web interface (and match what is on
> the server), and the DNS SSHFP records exist also.
>
> # sss_ssh_authorizedkeys --debug 10 admin
> (Fri Mar 20 13:43:52:706986 2015) [sss_ssh_authorizedkeys] [main]
> (0x0020): sss_ssh_get_ent() failed (2): No such file or directory
> Error looking up public keys

It seems that you might be missing the integration between sssd and ssh.
Can you please check you configuration as described here: 
http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf

> I've seen some bug reports that this was a problem with sssd 1.10 but with
> a recent (updated today) version of sssd 1.11 I would assume that is not
> the issue?
>
> The second issue is that whenver I join a FreeIPA 4.1.2 client, I can't
> login with FreeIPA or AD users.  I believe this is due to the fact that
> when I login to the domain controller web interface and look at the
> freshly enrolled client it says "kerberos key present, host provisioned"
> but the next line is "Status No Valid Certificate".  Unenrolling and
> re-enrolling the client leads to the same issue with "No Valid
> Certificate".
>
> Here is a grep of my client install log filtered for 'certificate'.  I
> don't see any errors.
> 2015-03-20T20:33:28Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpuZCwlm'
> '-A' '-n' 'CA certificate 1' '-t' 'C,,'
> 2015-03-20T20:33:28Z DEBUG auth_certificate_callback: check_sig=True
> is_server=False
> 2015-03-20T20:33:28Z DEBUG auth_certificate_callback: check_sig=True
> is_server=False
> 2015-03-20T20:33:30Z DEBUG Adding CA certificates to the IPA NSS database.
> 2015-03-20T20:33:32Z DEBUG Attempting to add CA certificates to the
> default NSS database.
> 2015-03-20T20:33:32Z INFO Added CA certificates to the default NSS database.
> 2015-03-20T20:33:32Z DEBUG auth_certificate_callback: check_sig=True
> is_server=False
>
>
>

This is because in 4.x we do not automatically provision a cert for the 
host any more.
It was not used for anything. We provisioned it just in case it will be 
needed but it turns out it was not need and it was an extra step for no 
reason.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list