On Wed, Mar 06, 2019 at 11:24:20PM -0000, Charles Ulrich via FreeIPA-users wrote: > Hello, good people of FreeIPA-users, > > Short version: > > I've run into an issue where a SSH public key authentication doesn't work on > the FreeIPA client. When I run `sss_ssh_authorizedkeys > <fully-qualified_user>` on the client, there is a brief hang (10-15 seconds, > maybe?) and then it returns nothing. The same command run on the FreeIPA > server does, however, correctly return the user's public key. > > Long version: > > The server is FreeIPA 4.6.4 on CentOS 7 (all packages up to date) with a > one-way trust to active directory. The client is the ipa-server package > version 4.7.0 on Ubuntu 18.04. I added a user to the "Default Trust View" > override and pasted in the public key. > > The AD trust and client configuration seem to be working for the most part > since I can log into the client with my AD username and password. It's just > SSH public key authentication that doesn't work. As mentioned above, the > `sss_ssh_authorizedkeys` command runs successfully on the server but not on > the client. > > From the client logs, it looks like the client is having trouble > communicating with the server somehow. I don't see anything that looks like > errors in the server logs. A sanitized version of the client logs at > debug_level 4 are here: > https://paste.fedoraproject.org/paste/y3nyxeb13wZMzaQNemhCNQ The sssd.conf > from the client is here: > https://paste.fedoraproject.org/paste/SK3qx0EcF19ggtrmssYZnw I can provide > more detailed logs to individuals.
In the log snippet the client runs into a timeout, the IPA server didn't send a reply for 6s. Since you say that you can authenticate in general on the client I guess this might only a temporary error because e.g. the server had to refresh its own cache. But you can try to increase ldap_search_timeout in sssd.conf, see man sssd-ldap for details. In case you are using 'full_name_format = %1$s' in sssd.conf on the IPA servers as well please remove it, this option is not supported on IPA server. bye, Sumit > > I double-checked the firewalls on both the client and server and it looks to > me like all the necessary ports are open on both sides. > > I have done a bunch of Googling and reading of documentation but nothing so > far has led me in the right direction. This is something that *was* working > just fine on a test deployment a few weeks ago. As far as I can tell, > everything is set up the same. Is there any other information I can provide? > > Thanks, > Charles > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org