[Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

Sat Sep 19 13:32:40 UTC 2015

I've already included that in the IPA permissions.
Anonymous access to ipaSshPubKey is marked as public already. Read and
Search is allowed.

On Sat, Sep 19, 2015 at 4:36 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:

>
> > On 18 Sep 2015, at 19:17, Gustavo Mateus <gustavo.mateus at gmail.com>
> wrote:
> >
> > That only shows this:
> >
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <cn=compat,dc=my,dc=domain,dc=com> with scope subtree
> > # filter:
> (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
> > # requesting: ALL
> > #
> >
> > # admin, users, compat, my.domain.com
> > dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
> > cn: Administrator
> > uidNumber: 1742200000
> > objectClass: posixAccount
> > objectClass: top
> > gidNumber: 1742200000
> > gecos: Administrator
> > loginShell: /bin/bash
> > homeDirectory: /home/admin
> > uid: admin
> >
>
> Since sshPublicKey is not listed here, the ACIs still prevent you from
> reading the attribute. You need to either bind as a user who has
> permissions to read it or make the public key world-readable (I don't think
> making it world-readable would be an issue since it's a pubkey)
>
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> > On Fri, Sep 18, 2015 at 1:40 AM, Jakub Hrozek <jhrozek at redhat.com>
> wrote:
> > On Thu, Sep 17, 2015 at 10:33:41AM -0700, Gustavo Mateus wrote:
> > > When I use id_provider=ipa I get:
> > >
> > > [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2]
> >
> > Ah, I think they simply don't package the IPA backend.
> >
> > Time to file an RFE with Amazon? :-)
> >
> > >
> > >
> > > Adding a [ssh] section with just "debug_level = 10"on it, I get:
> > >
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000):
> Client
> > > creds: euid[1742200001] egid[1742200001] pid[6295].
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000):
> Idle
> > > timer re-set for client [0xd34eb0][17]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400):
> Client
> > > connected!
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000):
> Idle
> > > timer re-set for client [0xd34eb0][17]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
> > > Received client version [0].
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
> > > Offered version [0].
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000):
> Idle
> > > timer re-set for client [0xd34eb0][17]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000):
> Idle
> > > timer re-set for client [0xd34eb0][17]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request]
> (0x0400):
> > > Requested domain [<ALL>]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request]
> (0x0400):
> > > Parsing name [admin][<ALL>]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100):
> Domain
> > > not provided!
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains]
> > > (0x0200): name 'admin' matched without domain, user is admin
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys]
> > > (0x0400): Requesting SSH user public keys for [admin] from [<ALL>]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400):
> > > Issuing request for [0x40aba0:1:admin at default]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg]
> (0x0400):
> > > Creating request for [default][1][1][name=admin]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000):
> 0xd32ba0
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send]
> (0x0400):
> > > Entering request [0x40aba0:1:admin at default]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000):
> > > 0xd32ba0
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus
> conn:
> > > 0xd310f0
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000):
> > > Dispatching.
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got
> > > reply from Data Provider - DP error code: 0 errno: 0 error message:
> Success
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next]
> > > (0x0400): Requesting SSH user public keys for [admin at default]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100):
> Domain
> > > not provided!
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed
> event
> > > "ltdb_callback": 0xd3f3b0
> > >
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed
> event
> > > "ltdb_timeout": 0xd3f470
> > >
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer
> event
> > > 0xd3f3b0 "ltdb_callback"
> > >
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer
> > > event 0xd3f470 "ltdb_timeout"
> > >
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer
> event
> > > 0xd3f3b0 "ltdb_callback"
> > >
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor]
> (0x0400):
> > > Deleting request: [0x40aba0:1:admin at default]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000):
> Idle
> > > timer re-set for client [0xd34eb0][17]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000):
> Idle
> > > timer re-set for client [0xd34eb0][17]
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client
> > > disconnected!
> > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000):
> > > Terminated client [0xd34eb0][17]
> > >
> > >
> > >
> > >
> > > ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb
> > > name=admin):
> > >
> > >
> > > asq: Unable to register control with rootdse!
> > > # record 1
> > > dn: name=admin,cn=users,cn=default,cn=sysdb
> > > createTimestamp: 1442509579
> > > fullName: Administrator
> > > gecos: Administrator
> > > gidNumber: 1742200000
> > > homeDirectory: /home/admin
> > > loginShell: /bin/bash
> > > name: admin
> > > objectClass: user
> > > uidNumber: 1742200000
> > > originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com
> > > originalModifyTimestamp: 20150829000451Z
> > > entryUSN: 1428
> > > lastUpdate: 1442509579
> > > dataExpireTimestamp: 1442514979
> > > distinguishedName: name=admin,cn=users,cn=default,cn=sysdb
> >
> > The communication between the ssh responder and the back end went fine.
> > I think I should have been more careful the first time around, looks
> > like the backend cannot find the attribute in LDAP (some ACI problems,
> > maybe?)
> >
> > From your earlier logs:
> > (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
> > (0x2000): sshPublicKey is not available for [admin].
> >
> > You can run a similar query manually:
> > ldapsearch -x -H ldap://your.ipa.server -b
> cn=compat,dc=my,dc=domain,dc=com
> (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
> >
> > Does that show the sshPublicKey ?
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150919/89b56253/attachment.htm>