On Thu, Oct 06, 2016 at 09:55:30PM +0100, Alessandro De Maria wrote: > The workaround worked thank you!
Great, glad I could help. bye, Sumit > > On 6 Oct 2016 5:09 pm, "Sumit Bose" <sb...@redhat.com> wrote: > > > On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote: > > > Hello, > > > > > > We are moving some of our servers to use 16.04 and for all new installs I > > > have noticed that I am unable to fetch the ssh_authorized keys from the > > > server. > > > > > > /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzzzzzz.com ademaria > > > (Thu Oct 6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys] > > [main] > > > (0x0020): sss_ssh_get_ent() failed (14): Bad address > > > Error looking up public keys > > > > > > This only happens on Ubuntu 16.04. We have a number of 12.04 that work > > > perfectly. > > > > > > The configuration seems ok or at least matches the one on 12.04. > > > I increased the debug level on sssd and sss_ssh and this is the output I > > get > > > > ... > > > > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040): > > > NSS_InitContext failed [-8015]. > > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] > > > (0x0040): cert_to_ssh_key failed. > > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): > > > decode_and_add_base64_data failed. > > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal > > > error, killing connection! > > > > ... > > > > Newer version of SSSD can derive ssh-keys from valid X.509 certificates > > stored in the LDAP entry of the user. Unfortunately it looks like in > > your build of SSSD needs a fix for > > https://fedorahosted.org/sssd/ticket/2977. Please open a ticket for your > > distribution to include the patch for this issue which is linked at the > > end of the ticket. > > > > As a workaround you can set 'ldap_user_certificate = noSuchAttribute' in > > the [domain/...] section of sssd.conf. This should prevent SSSD from > > reading the certificate stored in the user entry. After changing > > sssd.conf you should invalidate the cache by calling 'sss_cache -E' and > > restart SSSD. > > > > HTH > > > > bye, > > Sumit > > > > > > > > Could you help me understand what is the issue with it? > > > > > > Regards > > > Alessandro > > > > > > -- > > > Alessandro De Maria > > > alessandro.dema...@gmail.com > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project