[Freeipa-users] cannot ssh in (sss_ssh_authorizedkeys returned status 1) ??
lejeczek
peljasz at yahoo.co.uk
Fri Oct 21 19:39:43 UTC 2016
On 21/10/16 14:11, Sumit Bose wrote:
> On Fri, Oct 21, 2016 at 01:55:19PM +0100, lejeczek wrote:
>> hi all
>>
>> I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB
>> (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64)
>> I realize that to assume versions differences cause it is bit silly but
>> nothing changed except update of boxB's IPA a day before the problem occur.
>> Also, there is a boxC (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so
>> boxB == boxC IPA-wise) which does ssh in fine.
>> Other way around, boxB to boxA ssh works.
>> Logs are pretty quiet, I merely see:
>>
>> error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status
>> 1
>>
>> and that I'm not sure appears at the time of login attempt.
>> I do:
>> boxA$ ssh boxB
>> Connection closed by UNKNOWN
>>
>> ps. boxA is not banned nor block by any tcp/ip means.
>>
>> many! thanks for any help
> Which version of SSSD is running? Do you have user certificates stored
> in IPA? In this case you might hit
all three boxes run - sssd-1.13.0-40.el7_2.12.x86_64
but there is something weird going on with boxA
ipa-server-4.2.0-15.sl7_2.19.x86_64
for a while when IPA started all seems ok but later,
actually quiet soon
$ ipa dnszone-find
ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified
GSS failure. Minor code may provide more information',
851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/
and I realize dirsrv "crashes" earlier
slapd_ldap_sasl_interactive_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: LDAP error
49 (Invalid credentials) (SASL(-13): authentication failure:
GSSAPI Failure: gss_accept_sec_context) errno 0 (Success)
slapi_ldap_bind - Error: could not perform interactive
bind for id [] authentication mechanism [GSSAPI]: error 49
(Invalid credentials)
slapd_ldap_sasl_interactive_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: LDAP error
49 (Invalid credentials) (SASL(-13): authentication failure:
GSSAPI Failure: gss_accept_sec_context) errno 0 (Success)
slapi_ldap_bind - Error: could not perform interactive
bind for id [] authentication mechanism [GSSAPI]: error 49
(Invalid credentials)
NSMMReplicationPlugin -
agmt="cn=meTodzien.private.xxxx.xxx.private.xxx.xx.xx"
(dzien:389): Replication bind with GSSAPI auth failed: LDAP
error 49 (Invalid credentials) (SASL(-13): authentication
failure: GSSAPI Failure: gss_accept_sec_context)
NSMMReplicationPlugin - CleanAllRUV Task (rid 38): Replica
not online
(agmt="cn=meTodzien.private.xxxx.xxx.private.xxx.xx.xx"
(dzien:389))
NSMMReplicationPlugin - CleanAllRUV Task (rid 38): Not all
replicas online, retrying in 20 seconds...
which is that boxB ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
but I can query that boxB from boxA manually
$ ldapsearch -LLL -D "cn=directory manager" -b cn=config -p
389 -h boxB -W = results OK.
whats wrong with boxA ?
> https://bugzilla.redhat.com/show_bug.cgi?id=1372042
> https://fedorahosted.org/sssd/ticket/2977
>
> If there are no updates with a fix available you might want to set
>
> ldap_user_certificate = noSuchSttribute
>
> in the [domain/...] section of sssd.conf to tell SSSD to not read the
> certificates from the server. As an alternative you can all CA
> certificates needed to validate the user certificates properly to
> /etc/pki/nssdb.
>
> HTH
>
> bye,
> Sumit
>
>> L.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list