[Freeipa-users] FreeIPA - AD trust - SSH Public Keys
Taras Drach
tsdrach at gmail.com
Thu Nov 3 14:35:30 UTC 2016
Hello everyone!
I want to implement next scheme:
1. Use AD as place for user management
2. Store ssh public keys in AD
3. Use FreeIPA as sudo/hbac provider for AD groups for authentication and authorisation on the linux hosts
4. Use trusts roadmap (do not want to synchronise)
My configuration is:
AD domain - test.loc - windows server 2012 r2
IPA domain - ipa.test.loc - ipa-server 4.2.0 on centos 7 (ipa-server.x86_64 4.2.0-15.0.1.el7.centos.19 @updates)
At this moment everything fine except SSH public keys.
I tried to use override and it works fine (I can login to linux host with AD user with public key), but I have to create view in ipa for each user from AD. It is not my goal and its also create inconveniences.
I found that there are several ways to achieve desired configuration:
1. Extend AD scheme with sshPublicKey attribute
2. Use altSecurityIdentities attribute from AD
At this moment I can obtain ssh public key from ipa for user by
sss_ssh_authorizedkeys -d ipa.test.loc user or
sss_ssh_authorizedkeys user, because ipa.test.loc is default domain
But I can’t receive key for AD user using this command
sss_ssh_authorizedkeys -d test.loc
At this moment I try to obtain key via altSecurityIdentities, and I see this key in sssd debug log when I run sss_ssh_authorizedkeys, but I can not see public key on stdout
Here is the part if log
-
Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'dc01.test.loc' as 'working'
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=test,dc=loc]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_print_server] (0x2000): Searching 10.100.0.148
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=rr)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=test,dc=loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altSecurityIdentities]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_op_add] (0x2000): New operation 5 timeout 6
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_id_op_connect_done] (0x4000): caching successful connection after 1 notifies
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_result] (0x2000): Trace: sh[0x7f48ff3d7440], connected[1], ops[0x7f48ff3d5ce0], ldap[0x7f48ff3bf360]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=rr,CN=Users,DC=test,DC=loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [name]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_parse_range] (0x2000): No sub-attributes for [altSecurityIdentities]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_result] (0x2000): Trace: sh[0x7f48ff3d7440], connected[1], ops[0x7f48ff3d5ce0], ldap[0x7f48ff3bf360]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ForestDnsZones.test.loc/DC=ForestDnsZones,DC=test,DC=loc
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_result] (0x2000): Trace: sh[0x7f48ff3d7440], connected[1], ops[0x7f48ff3d5ce0], ldap[0x7f48ff3bf360]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.test.loc/DC=DomainDnsZones,DC=test,DC=loc
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_result] (0x2000): Trace: sh[0x7f48ff3d7440], connected[1], ops[0x7f48ff3d5ce0], ldap[0x7f48ff3bf360]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://test.loc/CN=Configuration,DC=test,DC=loc
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_result] (0x2000): Trace: sh[0x7f48ff3d7440], connected[1], ops[0x7f48ff3d5ce0], ldap[0x7f48ff3bf360]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_op_destructor] (0x2000): Operation 5 finished
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored.
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.test.loc/DC=ForestDnsZones,DC=test,DC=loc
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.test.loc/DC=DomainDnsZones,DC=test,DC=loc
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [generic_ext_search_handler] (0x4000): Ref: ldap://test.loc/CN=Configuration,DC=test,DC=loc
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x0400): Save user
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_get_primary_name] (0x0400): Processing object rr at test.loc
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x0400): Processing user rr at test.loc
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x1000): Mapping user [rr at test.loc] objectSID [S-1-5-21-237804563-1161820721-801220523-1106] to unix ID
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x2000): Adding originalDN [CN=rr,CN=Users,DC=test,DC=loc] to attributes of [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x0400): Original memberOf is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20161103142350.0Z] to attributes of [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x0400): Adding user principal [rr at SLT.LOC] to attributes of [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [66048] to attributes of [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): userCertificate is not available for [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding altSecurityIdentities [ssh-rsa\20AAAAB3NzaC1yc2EAAAADAQABAAABAQDQydFCKx/r5idp3U0EY0fMJdu0eHNuIc6xvZudQJm/mbf3TflLNH+mj/Jr7yQaPj0C6z7V8my+D0f6JK1cCntxfhLQto92xUZhhKoLHVO34f5DhC5etqZ4EtaD6j9QuXYc5U8GovHgzmdH+JSeIOSpSqFzTkFR6sSmhjypfCDPCP8JKHxwI9LJvfgCRv0qKJBjELhUpZYUW3Mrcpp+bJcX8Iuz0QPDkO2VdqIcwapC+h6AhdH+Sm6PjG8FplH6/5SDlQ2LOVTnY4xMuS48RXzgtJImN+o7syrxjPTQU5/PWXiIH/Hawa6n75kREv6B4AHtQKxqDoxhNdzQ1+xiLs4H\20user at test.loc] to attributes of [rr at test.loc].
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [sdap_save_user] (0x0400): Storing info for user rr at test.loc
(Thu Nov 3 14:24:33 2016) [sssd[be[ipa.test.loc]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
Here is my sssd.conf for ipa domain
domain/ipa.test.loc]
debug_level = 0xfff0
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.test.loc
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa42.ipa.test.loc
chpass_provider = ipa
ipa_server = ipa42.ipa.test.loc
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
create_homedir = True
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_id_mapping = False
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161103/9e6eb149/attachment.sig>
More information about the Freeipa-users
mailing list