Hello, good people of FreeIPA-users, Short version:
I've run into an issue where a SSH public key authentication doesn't work on the FreeIPA client. When I run `sss_ssh_authorizedkeys <fully-qualified_user>` on the client, there is a brief hang (10-15 seconds, maybe?) and then it returns nothing. The same command run on the FreeIPA server does, however, correctly return the user's public key. Long version: The server is FreeIPA 4.6.4 on CentOS 7 (all packages up to date) with a one-way trust to active directory. The client is the ipa-server package version 4.7.0 on Ubuntu 18.04. I added a user to the "Default Trust View" override and pasted in the public key. The AD trust and client configuration seem to be working for the most part since I can log into the client with my AD username and password. It's just SSH public key authentication that doesn't work. As mentioned above, the `sss_ssh_authorizedkeys` command runs successfully on the server but not on the client. From the client logs, it looks like the client is having trouble communicating with the server somehow. I don't see anything that looks like errors in the server logs. A sanitized version of the client logs at debug_level 4 are here: https://paste.fedoraproject.org/paste/y3nyxeb13wZMzaQNemhCNQ The sssd.conf from the client is here: https://paste.fedoraproject.org/paste/SK3qx0EcF19ggtrmssYZnw I can provide more detailed logs to individuals. I double-checked the firewalls on both the client and server and it looks to me like all the necessary ports are open on both sides. I have done a bunch of Googling and reading of documentation but nothing so far has led me in the right direction. This is something that *was* working just fine on a test deployment a few weeks ago. As far as I can tell, everything is set up the same. Is there any other information I can provide? Thanks, Charles _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
