On (25/03/20 15:14), Kevin Olbrich wrote:
Hi!
I'm new to SSSD and I try to connect SSSD to my AD to manage SSH access.
I set up the attribute and class on AD schema master and I can fill
keys using ADUC.
I've also enabled the checkbox for GC sync. My client system is debian buster.
I've joined a machine this way:
realm discover
EXAMPLE.COM
realm join
EXAMPLE.COM
My /etc/sssd/sssd.conf:
[sssd]
domains =
example.com
services = nss, sudo, ssh, pam, autofs
config_file_version = 2
debug_level = 9
[ssh]
debug_level = 9
ssh_use_certificate_keys = false
[
domain/example.com]
debug_level = 9
ad_domain =
example.com
krb5_realm =
example.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = domänen-benutzer
SSHD config contains:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
I can successfully login using my AD account using my password. This
works flawless.
When I try to retrieve my SSH keys, it does not work:
root@slde0009 ~ # sss_ssh_authorizedkeys --debug 9 kolbrich
root@slde0009 ~ #
Passwd works:
root@slde0009 ~ # getent passwd kolbrich
kolbrich:*:1753601104:1753600513:Kevin
Olbrich:/home/kolbrich@example.com:/bin/bash
sssd_example.com.log contains:
(Wed Mar 25 14:36:53 2020) [sssd[be[example.com]]]
[sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for
[kolbrich(a)example.com].
You can check few lines before these lines and you should be able to see
which attributes and which search base was used.
Maybe you will be able to find a difference.
LDAP looks fine:
root@slde0009 ~ # ldapsearch -H ldap://192.168.81.1 -D
administrator(a)example.com -b "dc=example,dc=com" -W -x
'(objectClass=ldapPublicKey)' 'sshPublicKey'
[...]
sssd does not search anything using object class ldapPublicKey.
It also uses a slightly different authentication method.
(It uses keytab instead of administrator). But if the attribute is visible for
anyone then it should not be a problem.
That might be a reason why it works from command line and does not work
from sssd.
# Kevin Olbrich, Users, DIT, MyBusiness,
example.com
dn: CN=Kevin Olbrich,OU=Users,OU=DIT,OU=MyBusiness,DC=example,DC=com
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClO6Jdbj7HffLDmAoXr/KU7IYn
kL/DvJBodE2UdhzROkc6YNSq7Y4xcfS3wHLH8OtPupbIDURwH/XZw2dflwcjxkHgyDPIQzzA988VJ
pZeT7DJ8AXx0VzZ0MfbIvksVja6eFgSbkvfU54zKloFFU0ml7UMh7WPwzY0kzhzjkiWnRLiTbERgg
IeeuQCF5HZvqpIr15ss1R0DLWMsLDL32FmM7tqYQRR5DkbD1T8ALIH3VaTcJhkaiqgW6V27Ps6gK/
lEQU9JKFNxfhqF+OsK+pngnC0uppw/r265rymfsHa1SfWQxhYRuxZxafldCnZYgMs9KzGK76pziDH
v3rGErCL ko(a)sv01.de
[...]
There are some howtos for this scenario but they work at this point :-P
What am I doing wrong here?
Thank you in advance!
LS