[Freeipa-users] Certificate Access issue
Artem Golubev
artem.golubev at expcapital.com
Tue Mar 21 14:08:24 UTC 2017
We use sssd version 1.13.4 on our linux clients
A user from ipa successfully authorizes on a linux client via ssh without a
certificate. But then if we add a certificate - connection gets lost.
Please find logs in attached files
Thank you in advance
*Artem Golubev*
System Administrator
*(exp)capital limited*
On 20 March 2017 at 18:14, Lukas Slebodnik <lslebodn at redhat.com> wrote:
> On (20/03/17 16:39), Alexander Bokovoy wrote:
> >On ma, 20 maalis 2017, Artem Golubev wrote:
> >> Good day!
> >>
> >> We use freeipa server 4.3.1, we usually grant access via ssh keys to
> linux
> >> clients.
> >> We currently face the following issue with access on certificate: when
> we
> >> add certificate to user's account, user is not able to login via ssh.
> >> How can we solve this problem? We would like to have a possibility to
> >> access linux clients via ssh keys and access to other resources using
> >> certificates.
> >You need to provide logs, obviously. Start with level 3 debug logs in
> >sshd, and debug_level=9 in sssd. Also show user's entry (as in 'ipa
> >user-show --raw --all username').
> >
> >When you access SSH with ssh keys, SSSD is involved in account and
> >session phases of PAM authentication. This means either user does not
> >exist to sshd (it would then don't exist on system level at all) or
> >something prevents session phase from success. In session phase SSSD
> >does verify HBAC rules, for example.
> >
> >See https://fedorahosted.org/sssd/wiki/Troubleshooting for
> >troubleshooting instructions.
> >
> The most important is to know version of sssd.
> Because one related bug is already fixed.
> https://pagure.io/SSSD/sssd/issue/2977
>
> LS
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170321/d75b9d18/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sshd_log
Type: application/octet-stream
Size: 375 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170321/d75b9d18/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sssd_ssh_log
Type: application/octet-stream
Size: 2766 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170321/d75b9d18/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user-show
Type: application/octet-stream
Size: 3212 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170321/d75b9d18/attachment-0002.obj>
More information about the Freeipa-users
mailing list