[Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

Jakub Hrozek jhrozek at redhat.com
Fri Sep 18 08:40:56 UTC 2015 

On Thu, Sep 17, 2015 at 10:33:41AM -0700, Gustavo Mateus wrote:
> When I use id_provider=ipa I get:
> 
> [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2]

Ah, I think they simply don't package the IPA backend.

Time to file an RFE with Amazon? :-)

> 
> 
> Adding a [ssh] section with just "debug_level = 10"on it, I get:
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client
> creds: euid[1742200001] egid[1742200001] pid[6295].
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client
> connected!
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
> Received client version [0].
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
> Offered version [0].
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
> Requested domain [<ALL>]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400):
> Parsing name [admin][<ALL>]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain
> not provided!
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains]
> (0x0200): name 'admin' matched without domain, user is admin
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys]
> (0x0400): Requesting SSH user public keys for [admin] from [<ALL>]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400):
> Issuing request for [0x40aba0:1:admin at default]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400):
> Creating request for [default][1][1][name=admin]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400):
> Entering request [0x40aba0:1:admin at default]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000):
> 0xd32ba0
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn:
> 0xd310f0
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000):
> Dispatching.
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got
> reply from Data Provider - DP error code: 0 errno: 0 error message: Success
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next]
> (0x0400): Requesting SSH user public keys for [admin at default]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain
> not provided!
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event
> "ltdb_callback": 0xd3f3b0
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event
> "ltdb_timeout": 0xd3f470
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event
> 0xd3f3b0 "ltdb_callback"
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer
> event 0xd3f470 "ltdb_timeout"
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event
> 0xd3f3b0 "ltdb_callback"
> 
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400):
> Deleting request: [0x40aba0:1:admin at default]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0xd34eb0][17]
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client
> disconnected!
> (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000):
> Terminated client [0xd34eb0][17]
> 
> 
> 
> 
> ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb
> name=admin):
> 
> 
> asq: Unable to register control with rootdse!
> # record 1
> dn: name=admin,cn=users,cn=default,cn=sysdb
> createTimestamp: 1442509579
> fullName: Administrator
> gecos: Administrator
> gidNumber: 1742200000
> homeDirectory: /home/admin
> loginShell: /bin/bash
> name: admin
> objectClass: user
> uidNumber: 1742200000
> originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
> originalModifyTimestamp: 20150829000451Z
> entryUSN: 1428
> lastUpdate: 1442509579
> dataExpireTimestamp: 1442514979
> distinguishedName: name=admin,cn=users,cn=default,cn=sysdb

The communication between the ssh responder and the back end went fine.
I think I should have been more careful the first time around, looks
like the backend cannot find the attribute in LDAP (some ACI problems,
maybe?)

>From your earlier logs:
(Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]                                                                                                                                          
(0x2000): sshPublicKey is not available for [admin].  

You can run a similar query manually:
ldapsearch -x -H ldap://your.ipa.server -b cn=compat,dc=my,dc=domain,dc=com (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))

Does that show the sshPublicKey ?

More information about the Freeipa-users mailing list