[Freeipa-users] Error looking up public keys

Sumit Bose sbose at redhat.com
Fri Oct 7 07:20:23 UTC 2016 

On Thu, Oct 06, 2016 at 09:55:30PM +0100, Alessandro De Maria wrote:
> The workaround worked thank you!

Great, glad I could help.

bye,
Sumit

> 
> On 6 Oct 2016 5:09 pm, "Sumit Bose" <sbose at redhat.com> wrote:
> 
> > On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote:
> > > Hello,
> > >
> > > We are moving some of our servers to use 16.04 and for all new installs I
> > > have noticed that I am unable to fetch the ssh_authorized keys from the
> > > server.
> > >
> > > /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzzzzzz.com ademaria
> > > (Thu Oct  6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys]
> > [main]
> > > (0x0020): sss_ssh_get_ent() failed (14): Bad address
> > > Error looking up public keys
> > >
> > > This only happens on Ubuntu 16.04. We have a number of 12.04 that work
> > > perfectly.
> > >
> > > The configuration seems ok or at least matches the one on 12.04.
> > > I increased the debug level on sssd and sss_ssh and this is the output I
> > get
> >
> > ...
> >
> > > (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040):
> > > NSS_InitContext failed [-8015].
> > > (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data]
> > > (0x0040): cert_to_ssh_key failed.
> > > (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040):
> > > decode_and_add_base64_data failed.
> > > (Thu Oct  6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal
> > > error, killing connection!
> >
> > ...
> >
> > Newer version of SSSD can derive ssh-keys from valid X.509 certificates
> > stored in the LDAP entry of the user. Unfortunately it looks like in
> > your build of SSSD needs a fix for
> > https://fedorahosted.org/sssd/ticket/2977. Please open a ticket for your
> > distribution to include the patch for this issue which is linked at the
> > end of the ticket.
> >
> > As a workaround you can set 'ldap_user_certificate = noSuchAttribute' in
> > the [domain/...] section of sssd.conf. This should prevent SSSD from
> > reading the certificate stored in the user entry. After changing
> > sssd.conf you should invalidate the cache by calling 'sss_cache -E' and
> > restart SSSD.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > >
> > > Could you help me understand what is the issue with it?
> > >
> > > Regards
> > > Alessandro
> > >
> > > --
> > > Alessandro De Maria
> > > alessandro.demaria at gmail.com
> >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >

More information about the Freeipa-users mailing list