We use sssd version 1.13.4 on our linux clients A user from ipa successfully authorizes on a linux client via ssh without a certificate. But then if we add a certificate - connection gets lost. Please find logs in attached files Thank you in advance
*Artem Golubev* System Administrator *(exp)capital limited* On 20 March 2017 at 18:14, Lukas Slebodnik <[email protected]> wrote: > On (20/03/17 16:39), Alexander Bokovoy wrote: > >On ma, 20 maalis 2017, Artem Golubev wrote: > >> Good day! > >> > >> We use freeipa server 4.3.1, we usually grant access via ssh keys to > linux > >> clients. > >> We currently face the following issue with access on certificate: when > we > >> add certificate to user's account, user is not able to login via ssh. > >> How can we solve this problem? We would like to have a possibility to > >> access linux clients via ssh keys and access to other resources using > >> certificates. > >You need to provide logs, obviously. Start with level 3 debug logs in > >sshd, and debug_level=9 in sssd. Also show user's entry (as in 'ipa > >user-show --raw --all username'). > > > >When you access SSH with ssh keys, SSSD is involved in account and > >session phases of PAM authentication. This means either user does not > >exist to sshd (it would then don't exist on system level at all) or > >something prevents session phase from success. In session phase SSSD > >does verify HBAC rules, for example. > > > >See https://fedorahosted.org/sssd/wiki/Troubleshooting for > >troubleshooting instructions. > > > The most important is to know version of sssd. > Because one related bug is already fixed. > https://pagure.io/SSSD/sssd/issue/2977 > > LS >
sshd_log
Description: Binary data
sssd_ssh_log
Description: Binary data
user-show
Description: Binary data
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
