That was it!!! The /etc/ssh/sshd_config file is missing a few things. My observation was in error that sometimes it worked for some users on a misconfigured node.

So the next question I have is why doesn't that file always get updated when ipa is configured? Is it supposed to be updated by ipa-client-install?

At least I know what to look for. I may just add this to my salt-stack deployments so every node has the correct sshd config file.

Thanks!!

On Thu, Jan 9, 2020 at 3:14 PM Rob Crittenden <rcritten@redhat.com> wrote:

Jeff Vincent via FreeIPA-users wrote:
> Most of our FreeIPA client nodes are Ubuntu 14, 16 and some 18. We have a fair number where I am unable to use SSH authentication because the server refuses the key.
>
> The same user/key works fine on other nodes.
>
> I have checked to the best of my knowledge the files and compared them to a node that works and can't find any differences.
>
> /etc/nsswitch.conf
> /etc/sssd/sssd.conf
>
> I don't understand the nuances of FreeIPA to know where else to look. Can anyone suggest what else I can look at to troubleshoot what is going on? Every user experiences this on different nodes.

Compare the sshd config files.

See if the authorized keys tool works:

/usr/bin/sss_ssh_authorizedkeys someuser

rob