I've already included that in the IPA permissions. Anonymous access to ipaSshPubKey is marked as public already. Read and Search is allowed.
On Sat, Sep 19, 2015 at 4:36 AM, Jakub Hrozek <[email protected]> wrote: > > > On 18 Sep 2015, at 19:17, Gustavo Mateus <[email protected]> > wrote: > > > > That only shows this: > > > > # extended LDIF > > # > > # LDAPv3 > > # base <cn=compat,dc=my,dc=domain,dc=com> with scope subtree > > # filter: > (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > > # requesting: ALL > > # > > > > # admin, users, compat, my.domain.com > > dn: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > > cn: Administrator > > uidNumber: 1742200000 > > objectClass: posixAccount > > objectClass: top > > gidNumber: 1742200000 > > gecos: Administrator > > loginShell: /bin/bash > > homeDirectory: /home/admin > > uid: admin > > > > Since sshPublicKey is not listed here, the ACIs still prevent you from > reading the attribute. You need to either bind as a user who has > permissions to read it or make the public key world-readable (I don't think > making it world-readable would be an issue since it's a pubkey) > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > > > On Fri, Sep 18, 2015 at 1:40 AM, Jakub Hrozek <[email protected]> > wrote: > > On Thu, Sep 17, 2015 at 10:33:41AM -0700, Gustavo Mateus wrote: > > > When I use id_provider=ipa I get: > > > > > > [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2] > > > > Ah, I think they simply don't package the IPA backend. > > > > Time to file an RFE with Amazon? :-) > > > > > > > > > > > Adding a [ssh] section with just "debug_level = 10"on it, I get: > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): > Client > > > creds: euid[1742200001] egid[1742200001] pid[6295]. > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): > Client > > > connected! > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > > > Received client version [0]. > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > > > Offered version [0]. > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] > (0x0400): > > > Requested domain [<ALL>] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] > (0x0400): > > > Parsing name [admin][<ALL>] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): > Domain > > > not provided! > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains] > > > (0x0200): name 'admin' matched without domain, user is admin > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] > > > (0x0400): Requesting SSH user public keys for [admin] from [<ALL>] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): > > > Issuing request for [0x40aba0:1:admin@default] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] > (0x0400): > > > Creating request for [default][1][1][name=admin] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): > 0xd32ba0 > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] > (0x0400): > > > Entering request [0x40aba0:1:admin@default] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000): > > > 0xd32ba0 > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus > conn: > > > 0xd310f0 > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): > > > Dispatching. > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got > > > reply from Data Provider - DP error code: 0 errno: 0 error message: > Success > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next] > > > (0x0400): Requesting SSH user public keys for [admin@default] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): > Domain > > > not provided! > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed > event > > > "ltdb_callback": 0xd3f3b0 > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed > event > > > "ltdb_timeout": 0xd3f470 > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer > event > > > 0xd3f3b0 "ltdb_callback" > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer > > > event 0xd3f470 "ltdb_timeout" > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer > event > > > 0xd3f3b0 "ltdb_callback" > > > > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] > (0x0400): > > > Deleting request: [0x40aba0:1:admin@default] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): > Idle > > > timer re-set for client [0xd34eb0][17] > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client > > > disconnected! > > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000): > > > Terminated client [0xd34eb0][17] > > > > > > > > > > > > > > > ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb > > > name=admin): > > > > > > > > > asq: Unable to register control with rootdse! > > > # record 1 > > > dn: name=admin,cn=users,cn=default,cn=sysdb > > > createTimestamp: 1442509579 > > > fullName: Administrator > > > gecos: Administrator > > > gidNumber: 1742200000 > > > homeDirectory: /home/admin > > > loginShell: /bin/bash > > > name: admin > > > objectClass: user > > > uidNumber: 1742200000 > > > originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > > > originalModifyTimestamp: 20150829000451Z > > > entryUSN: 1428 > > > lastUpdate: 1442509579 > > > dataExpireTimestamp: 1442514979 > > > distinguishedName: name=admin,cn=users,cn=default,cn=sysdb > > > > The communication between the ssh responder and the back end went fine. > > I think I should have been more careful the first time around, looks > > like the backend cannot find the attribute in LDAP (some ACI problems, > > maybe?) > > > > From your earlier logs: > > (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] > > (0x2000): sshPublicKey is not available for [admin]. > > > > You can run a similar query manually: > > ldapsearch -x -H ldap://your.ipa.server -b > cn=compat,dc=my,dc=domain,dc=com > (&(uid=admin)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0)))) > > > > Does that show the sshPublicKey ? > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
