Hello
I've been fighting with FreeIPA and SmartOS for while now and had this
sorted out. It's just that there is no sssd for SmartOS and hence it
doesn't work out of the box.
Normally, it shouldn't be to hard to get it working once you have the
ldap client on SmartOS connected to the FreeIPA directory server. I'll
paste here below a recent post of my new blog
(https://blog.soholabs.org), dedicated to SmartOS and related
technologies as a lab environment.
So, if I understood the situation well: the SmartOS LDAP client is up
and running and is communicating with the FreeIPA directory server, but
ssh doesn't seem to take into account the public keys that are stored in
the directory server.
In order to facilitate this, you have to make sure that the ssh daemon
is able to obtain these keys from the directory server. In comparison,
the two lines of importance in the /etc/ssh/sshd_config file on a CentOS
FreeIPA client installation are:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
The AuthorizedKeysCommand parameter refers to the command that obtains
the public keys from the directory server. Unfortunately there is no
equivalent binary on SmartOS because it lacks the sssd software on the
client side.
Luckily, it is not much of an issue because it is rather easy for an
LDAP client to obtain this information from the directory server. While
there are certainly a variety of solutions available on the Internet, at
first sight I found them often too sophisticated for what I needed. So,
I decided to limit the solution to a bash script file that encapsulates
a ldapsearch command which will fetch the public keys from the directory
server.
These few lines here below are enough to fetch the keys and to make sed
print only the information needed: the user's public keys.
::::::::::::::
/opt/local/bin/ssh-ldap-pubkey-wrapper.sh
::::::::::::::
#!/bin/bash
/opt/local/bin/ldapsearch -LLL -x -u \
-o ldif-wrap=no \
-h ipaserver.example.com \
-D "uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \
-w "strongPassword" \
-b "dc=example,dc=com" \
'(&(objectClass=posixAccount)(uid='"$1"'))' \
ipaSshPubKey | sed -n 's/^[ \t]*ipaSshPubKey:[ \t]*\(.*\)/\1/p'
We use the uid=solaris,cn=sysaccounts,cn=etc account with the
strongPassword (literally) to avoid that we have to expose any user
account's credentials in the script file.
This script takes one argument, which is the "user" who makes the ssh
login. As we will see later on, the sshd_config file allows to refer to
the user via %u. Make sure the script has the execution bits set and
give it a try with a user name defined in the directory server. This
command should list the public keys of user1:
/opt/local/bin/ssh-ldap-pubkey-wrapper.sh user1
Once the script provides the public keys as expected, we can integrate
it in the sshd_config file. Find the line with AuthorizedKeysCommand or
add following lines to /etc/ssh/sshd_config:
AuthorizedKeysCommand /opt/local/bin/ssh-ldap-pubkey-wrapper.sh %u
AuthorizedKeysCommandUser nobody
To take this configuration change into account we have to restart the
ssh daemon with the command:
sudo svcadm restart ssh
While making the first connection attempts via ssh, it might be valuable
to keep an eye on the log file on the ssh target system for more
information in case of connection failures.
sudo tail -f /var/log/authlog
Make sure the user has its home directory available on the target
system. That's all it takes to ssh login without password and without
any local ~/.ssh/authorized_keys file.
Beware, locally provided public keys in ~/.ssh/authorized_keys will
still allow the user to ssh-login. This procedure is facilitating
ssh-login based on public keys stored in the directory server, but it is
not limiting access to these public keys. Other sshd_config changes are
needed to enforce this.
kind regards
Stefan
On 03/10/17 06:06, Shridhar Daithankar wrote:
On Monday 2 October 2017 11:57:34 AM IST Joven Sabanal wrote:
Hi,
I'm trying to connect SmartOS Zone VM on FreeIPA but I cannot get it work.
I use this link as reference.
https://www.redhat.com/archives/freeipa-users/2014-April/msg00128.html
I follow on what's indicated on the link. I only register the Zone VM to
FreeIPA domain. I can see also that the VM is connection to the domain by
running "ldaplist".
Problem now is when I try to login using SSH and use the user that I
created on FreeIPA, it cannot login.
Anyone did try the same setup as mine?
Appreciate any advice and recommendation. Thanks in advanced.
Adding a me too here. I can join lxc containers to AD domain using sssd(realm
join etc.) in a jiffy but SmartOS lx branded zones are unable to join the AD.
I could threw in the hand-made kerberos authentication configuration and
create the users by hand, so not much was lost. but sssd definitely didn't
work and I couldn't spend much time investigating it either.
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
