Greetings,
I am implementing FreeIPA in a large environment ro replace OpenLDAP. I have
the initial client configuration scripted as the machines are diskless and
almost everything is working properly. However I cannot seem to FreeIPA managed
user ssh keys working with sssd. I have been reading for a couple of days and
haven't found the answer as of yet. Here is what I have discerned to be
pertinent information. I will gladly add anything else that's necessary. When
'sss_ssh_authorizedkeys markp --debug 10' produces no output at all and no
errors. I cannot ssh between hosts without entering a password or using
authorized_keys.
'journalctl -u sssd' shows:
Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 1
Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 1
Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 1
Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 2
OS: CentOS 7.4
Packages: ipa-client-4.6.5-11.el7.centos.4.x86_64 sssd-1.16.4-21.el7_7.1.x86_64
sssd.conf:
[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = host.example.com
chpass_provider = ipa
ipa_server = ipaserver.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
config_file_version = 2
services = nss, sudo, pam, ssh
domains = example.com
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
openldap/ldap.conf
# File modified by ipa-client-install
TLS_CACERTDIR /etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
URI ldaps://ipaserver.example.com
BASE dc=dugeo,dc=com
TLS_CACERT /etc/ipa/ca.crt
SASL_MECH GSSAPI
krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com:88
master_kdc = ipaserver.example.com:88
admin_server = ipaserver.example.com:749
kpasswd_server = ipaserver.example.com:464
default_domain = example.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
host.example.com = EXAMPLE.COM
I am hoping there's something simple that I am missing here, something I've
overlooked or managed to just suck at library skills. Thanks in advance for any
help.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
