On (20/03/17 16:39), Alexander Bokovoy wrote: >On ma, 20 maalis 2017, Artem Golubev wrote: >> Good day! >> >> We use freeipa server 4.3.1, we usually grant access via ssh keys to linux >> clients. >> We currently face the following issue with access on certificate: when we >> add certificate to user's account, user is not able to login via ssh. >> How can we solve this problem? We would like to have a possibility to >> access linux clients via ssh keys and access to other resources using >> certificates. >You need to provide logs, obviously. Start with level 3 debug logs in >sshd, and debug_level=9 in sssd. Also show user's entry (as in 'ipa >user-show --raw --all username'). > >When you access SSH with ssh keys, SSSD is involved in account and >session phases of PAM authentication. This means either user does not >exist to sshd (it would then don't exist on system level at all) or >something prevents session phase from success. In session phase SSSD >does verify HBAC rules, for example. > >See https://fedorahosted.org/sssd/wiki/Troubleshooting for >troubleshooting instructions. > The most important is to know version of sssd. Because one related bug is already fixed. https://pagure.io/SSSD/sssd/issue/2977
LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
