Jeff wrote:
That was it!!! The /etc/ssh/sshd_config file is missing a few
things.
My observation was in error that sometimes it worked for some users on a
misconfigured node.
So the next question I have is why doesn't that file always get updated
when ipa is configured? Is it supposed to be updated by ipa-client-install?
At least I know what to look for. I may just add this to my salt-stack
deployments so every node has the correct sshd config file.
You can check /var/log/ipaclient-install.log to see if it touched the
file (or skipped it).
rob
Thanks!!
On Thu, Jan 9, 2020 at 3:14 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Jeff Vincent via FreeIPA-users wrote:
> Most of our FreeIPA client nodes are Ubuntu 14, 16 and some 18.
We have a fair number where I am unable to use SSH authentication
because the server refuses the key.
>
> The same user/key works fine on other nodes.
>
> I have checked to the best of my knowledge the files and compared
them to a node that works and can't find any differences.
>
> /etc/nsswitch.conf
> /etc/sssd/sssd.conf
>
> I don't understand the nuances of FreeIPA to know where else to
look. Can anyone suggest what else I can look at to troubleshoot
what is going on? Every user experiences this on different nodes.
Compare the sshd config files.
See if the authorized keys tool works:
/usr/bin/sss_ssh_authorizedkeys someuser
rob