Greetings, I am implementing FreeIPA in a large environment ro replace OpenLDAP. I have the initial client configuration scripted as the machines are diskless and almost everything is working properly. However I cannot seem to FreeIPA managed user ssh keys working with sssd. I have been reading for a couple of days and haven't found the answer as of yet. Here is what I have discerned to be pertinent information. I will gladly add anything else that's necessary. When 'sss_ssh_authorizedkeys markp --debug 10' produces no output at all and no errors. I cannot ssh between hosts without entering a password or using authorized_keys.
'journalctl -u sssd' shows: Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 1 Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 1 Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 1 Feb 28 11:38:40 hud9 sssd_be[3345]: GSSAPI client step 2 OS: CentOS 7.4 Packages: ipa-client-4.6.5-11.el7.centos.4.x86_64 sssd-1.16.4-21.el7_7.1.x86_64 sssd.conf: [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = host.example.com chpass_provider = ipa ipa_server = ipaserver.example.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] config_file_version = 2 services = nss, sudo, pam, ssh domains = example.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording] openldap/ldap.conf # File modified by ipa-client-install TLS_CACERTDIR /etc/openldap/certs # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on URI ldaps://ipaserver.example.com BASE dc=dugeo,dc=com TLS_CACERT /etc/ipa/ca.crt SASL_MECH GSSAPI krb5.conf #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] EXAMPLE.COM = { kdc = ipaserver.example.com:88 master_kdc = ipaserver.example.com:88 admin_server = ipaserver.example.com:749 kpasswd_server = ipaserver.example.com:464 default_domain = example.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM host.example.com = EXAMPLE.COM I am hoping there's something simple that I am missing here, something I've overlooked or managed to just suck at library skills. Thanks in advance for any help. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org