[Freeipa-users] Certificate Access issue
Lukas Slebodnik
lslebodn at redhat.com
Mon Mar 20 15:14:47 UTC 2017
On (20/03/17 16:39), Alexander Bokovoy wrote:
>On ma, 20 maalis 2017, Artem Golubev wrote:
>> Good day!
>>
>> We use freeipa server 4.3.1, we usually grant access via ssh keys to linux
>> clients.
>> We currently face the following issue with access on certificate: when we
>> add certificate to user's account, user is not able to login via ssh.
>> How can we solve this problem? We would like to have a possibility to
>> access linux clients via ssh keys and access to other resources using
>> certificates.
>You need to provide logs, obviously. Start with level 3 debug logs in
>sshd, and debug_level=9 in sssd. Also show user's entry (as in 'ipa
>user-show --raw --all username').
>
>When you access SSH with ssh keys, SSSD is involved in account and
>session phases of PAM authentication. This means either user does not
>exist to sshd (it would then don't exist on system level at all) or
>something prevents session phase from success. In session phase SSSD
>does verify HBAC rules, for example.
>
>See https://fedorahosted.org/sssd/wiki/Troubleshooting for
>troubleshooting instructions.
>
The most important is to know version of sssd.
Because one related bug is already fixed.
https://pagure.io/SSSD/sssd/issue/2977
LS
More information about the Freeipa-users
mailing list