[Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
Gustavo Mateus
gustavo.mateus at gmail.com
Wed Sep 16 18:28:49 UTC 2015
Hi,
I have an IPA server running on redhat and I'm trying find the best way to
get my amazon linux instances to use it for authentication, ssh key
management and sudo rules.
I'm now trying to use SSSD to achieve those goals. Authentication is
working but I'm having problems to get the user public ssh keys using
/usr/bin/sss_ssh_authorizedkeys.
This is my sssd.conf:
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = default
re_expression = (?P<name>.+)
[domain/default]
debug_level = 8
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ipa.my.domain.com
ldap_search_base = cn=compat,dc=my,dc=domain,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
ldap_user_ssh_public_key = ipaSshPubKey
The original configuration was done using ipa-advise ipa-advise
config-redhat-sssd-before-1-9. I just hanged the services parameter to
include "ssh, sudo" and "ldap_user_ssh_public_key"
When I run it on the client I get no response or error. Even running it in
debug mode:
/usr/bin/sss_ssh_authorizedkeys admin --debug 10
ipaSshPubKey is already public in the IPA permissions.
The ssd_default.log on the client shows this when I run it (debug_level =
8):
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [be_get_account_info]
(0x0200): Got request for [0x1][1][name=admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [be_req_set_domain]
(0x0400): Changing request domain from [default] to [default]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_search_user_next_base]
(0x0400): Searching for users with base [cn=compat,dc=my,dc=domain,dc=com]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_print_server]
(0x2000): Searching 10.0.0.2
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=compat,dc=my,dc=domain,dc=com].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uid]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPassword]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uidNumber]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gidNumber]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gecos]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [homeDirectory]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginShell]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbPrincipalName]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [cn]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [memberOf]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [modifyTimestamp]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [entryUSN]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowLastChange]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowMin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowMax]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowWarning]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowInactive]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowExpire]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowFlag]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbLastPwdChange]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbPasswordExpiration]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [pwdAttribute]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [authorizedService]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [accountExpires]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userAccountControl]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [nsAccountLock]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [host]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginDisabled]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginExpirationTime]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginAllowedTimeMap]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaSshPubKey]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 3
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: sh[0x1edd270], connected[1], ops[0x1e9f5a0],
ldap[0x1edcfd0]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_entry] (0x1000):
OriginalDN: [uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectClass]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000):
No sub-attributes for [uid]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000):
No sub-attributes for [uidNumber]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000):
No sub-attributes for [gidNumber]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000):
No sub-attributes for [gecos]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000):
No sub-attributes for [homeDirectory]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000):
No sub-attributes for [loginShell]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000):
No sub-attributes for [cn]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000):
No sub-attributes for [modifyTimestamp]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000):
No sub-attributes for [entryUSN]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: sh[0x1edd270], connected[1], ops[0x1e9f5a0],
ldap[0x1edcfd0]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_search_user_process]
(0x0400): Search for users, returned 1 results.
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x0400):
Save user
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_get_sid_str]
(0x1000): No [objectSID] attribute. [0][Success]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sss_parse_name] (0x0100):
Domain not provided!
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_get_primary_name]
(0x0400): Processing object admin
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x0400):
Processing user admin
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x2000):
Adding originalDN [uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com] to
attributes of [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x0400):
Original memberOf is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): Adding original mod-Timestamp [20150829000451Z] to attributes of
[admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x0400):
User principal is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): shadowLastChange is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): shadowMin is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): shadowMax is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): shadowWarning is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): shadowInactive is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): shadowExpire is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): shadowFlag is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): krbLastPwdChange is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): krbPasswordExpiration is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): pwdAttribute is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): authorizedService is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): adAccountExpires is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): adUserAccountControl is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): nsAccountLock is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): authorizedHost is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): ndsLoginDisabled is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): ndsLoginExpirationTime is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): ndsLoginAllowedTimeMap is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): sshPublicKey is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
(0x2000): authType is not available for [admin].
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_save_user] (0x0400):
Storing info for user admin
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [userPassword] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [userPrincipalName] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowLastChange] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowMin] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowMax] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowWarning] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowInactive] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowExpire] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowFlag] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [krbLastPwdChange] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [krbPasswordExpiration] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [pwdAttribute] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [authorizedService] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [adAccountExpires] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [adUserAccountControl] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [nsAccountLock] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [authorizedHost] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [ndsLoginDisabled] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [ndsLoginExpirationTime] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [sshPublicKey] from [admin]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: sh[0x1edd270], connected[1], ops[(nil)], ldap[0x1edcfd0]
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
it also shows constant messages like this every few seconds:
(Wed Sep 16 18:13:46 2015) [sssd[be[default]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
I'm not sure which step I am missing. I'm using 1.12.2 provided my amazon.
The server is FreeIPA, version: 4.1.0
Thanks in advance,
Gustavo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150916/fd53c810/attachment.htm>
More information about the Freeipa-users
mailing list