On Thu, Jan 12, 2017 at 10:59:04AM +0000, hirofumi.morik...@accenture.com wrote: > Hi Free IPA team > > Let me further clarify the question that is asked by Niraj below. > > Currently, we have 1 master FreeIPA server and 1 client server. Evaluating > your product for production deployment > Master and client connectivity is established and when creating the user in > the web console, it is indeed creating the user in the client machine > > However, When we add public key through the web console below, this key is > not created(or transfered) to the client machine(checked by logging into the > server) that blocks the key based access to this machine > > [cid:image003.jpg@01D26CCB.55E68FA0]
Does the web console show the key's fingerprint after you added it as shown in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/user-keys.html > > > Could you please let us know if this key is supposed to be created to the > client machine natively with FreeIPA > when registering the key through the console above? Are we missing any > configuration to enable this > key registration to client machine? Thank you for your response in advance If you used ipa-join or realmd to join the IPA client to the IPA server everything should be configured correctly. In /etc/ssh/sshd_config you should find the line 'AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys' which tells sshd to call sss_ssh_authorizedkeys to get the key. You can call 'sss_ssh_authorizedkeys' directly with the user name as argument to see if the key is returned: # sss_ssh_authorizedkeys testuser ssh-rsa AAAAB3Nz....... If nothing is returned you should check /var/log/sssd/sssd_ssh.log for errors. You might need to increase in debug_level in the [ssh] section of sssd.conf first, see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. HTH bye, Sumit > > Best regards > > Hirofumi Morikawa > Accenture > Certified Technology Architect - Emerging Technologies group > Email : > hirofumi.morik...@accenture.com<mailto:hirofumi.morik...@accenture.com> > Mobile phone : +33 (0)6 82 10 81 88 > > From: Singh, NirajKumar > Sent: mardi 10 janvier 2017 10:38 > To: freeipa-users@redhat.com > Cc: Morikawa, Hirofumi; Shyam Gupta, Upendra > Subject: Not able to replicate user keys across master and client > > Hi Team, > > We have Created PPK key for the user on master FreeIPA server which is there > in /home/user/.ssh/authorized_keys file. > > But the key are not reflecting in client machine. > > Please suggest so that authorized_keys file added automatically in client as > soon as it gets created in master server. > > Thanks, > Niraj > > ________________________________ > > This message is for the designated recipient only and may contain privileged, > proprietary, or otherwise confidential information. If you have received it > in error, please notify the sender immediately and delete the original. Any > other use of the e-mail by you is prohibited. Where allowed by local law, > electronic communications with Accenture and its affiliates, including e-mail > and instant messaging (including content), may be scanned by our systems for > the purposes of information security and assessment of internal compliance > with Accenture policy. > ______________________________________________________________________________________ > > www.accenture.com > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project