[Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

Gustavo Mateus gustavo.mateus at gmail.com
Thu Sep 17 17:33:41 UTC 2015 

When I use id_provider=ipa I get:

[sssd[be[default]]] [main] (0x0010): Could not initialize backend [2]


Adding a [ssh] section with just "debug_level = 10"on it, I get:

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client
creds: euid[1742200001] egid[1742200001] pid[6295].
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client
connected!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Received client version [0].
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Offered version [0].
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
Requested domain [<ALL>]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
Parsing name [admin][<ALL>]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain
not provided!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains]
(0x0200): name 'admin' matched without domain, user is admin
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys]
(0x0400): Requesting SSH user public keys for [admin] from [<ALL>]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x40aba0:1:admin at default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400):
Creating request for [default][1][1][name=admin]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x40aba0:1:admin at default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000):
0xd32ba0
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn:
0xd310f0
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000):
Dispatching.
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next]
(0x0400): Requesting SSH user public keys for [admin at default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain
not provided!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0xd3f3b0

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0xd3f470

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event
0xd3f3b0 "ltdb_callback"

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer
event 0xd3f470 "ltdb_timeout"

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event
0xd3f3b0 "ltdb_callback"

(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x40aba0:1:admin at default]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0xd34eb0][17]
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client
disconnected!
(Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000):
Terminated client [0xd34eb0][17]




ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb
name=admin):


asq: Unable to register control with rootdse!
# record 1
dn: name=admin,cn=users,cn=default,cn=sysdb
createTimestamp: 1442509579
fullName: Administrator
gecos: Administrator
gidNumber: 1742200000
homeDirectory: /home/admin
loginShell: /bin/bash
name: admin
objectClass: user
uidNumber: 1742200000
originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
originalModifyTimestamp: 20150829000451Z
entryUSN: 1428
lastUpdate: 1442509579
dataExpireTimestamp: 1442514979
distinguishedName: name=admin,cn=users,cn=default,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals




Thanks,
Gustavo





On Thu, Sep 17, 2015 at 12:25 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote:
> > Hi,
> >
> > I have an IPA server running on redhat and I'm trying find the best way
> to
> > get my amazon linux instances to use it for authentication, ssh key
> > management and sudo rules.
> >
> > I'm now trying to use SSSD to achieve those goals. Authentication is
> > working but I'm having problems to get the user public ssh keys using
> > /usr/bin/sss_ssh_authorizedkeys.
> >
> >
> > This is my sssd.conf:
> >
> > [sssd]
> > services = nss, pam, ssh, sudo
> > config_file_version = 2
> > domains = default
> > re_expression = (?P<name>.+)
> >
> > [domain/default]
> > debug_level = 8
> > cache_credentials = True
> > id_provider = ldap
> > auth_provider = ldap
> > ldap_uri = ldap://ipa.my.domain.com
> > ldap_search_base = cn=compat,dc=my,dc=domain,dc=com
> > ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
> > ldap_user_ssh_public_key = ipaSshPubKey
> >
> >
> > The original configuration was done using ipa-advise ipa-advise
> > config-redhat-sssd-before-1-9.
>
> Is there any particular reason do keep doing this versus joining the
> client to the domain and using id_provider=ipa ?
>
> > I just hanged the services parameter to
> > include "ssh, sudo" and "ldap_user_ssh_public_key"
>
> I don't think sudo would work unless you authenticate the LDAP
> connection.
>
> >
> > When I run it on the client I get no response or error. Even running it
> in
> > debug mode:
> >
> > /usr/bin/sss_ssh_authorizedkeys admin --debug 10
>
> I would check if:
>     - debug_level in the [ssh] section reveals anything. Is the ssh
>       responder being contacted, are there any errors?
>     - check with ldbsearch (ldb-tools package) if there ssh key
>       attribute is really fetched from IPA LDAP and is stored along the
>       user entry
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150917/3fdb5e56/attachment.htm>

More information about the Freeipa-users mailing list