Hi!
I'm new to SSSD and I try to connect SSSD to my AD to manage SSH access. I set up the attribute and class on AD schema master and I can fill keys using ADUC. I've also enabled the checkbox for GC sync. My client system is debian buster.
I've joined a machine this way: realm discover EXAMPLE.COM realm join EXAMPLE.COM
My /etc/sssd/sssd.conf: [sssd] domains = example.com services = nss, sudo, ssh, pam, autofs config_file_version = 2 debug_level = 9
[ssh] debug_level = 9 ssh_use_certificate_keys = false
[domain/example.com] debug_level = 9 ad_domain = example.com krb5_realm = example.com realmd_tags = manages-system joined-with-adcli cache_credentials = False id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = domänen-benutzer
SSHD config contains: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
I can successfully login using my AD account using my password. This works flawless. When I try to retrieve my SSH keys, it does not work: root@slde0009 ~ # sss_ssh_authorizedkeys --debug 9 kolbrich root@slde0009 ~ #
Passwd works: root@slde0009 ~ # getent passwd kolbrich kolbrich:*:1753601104:1753600513:Kevin Olbrich:/home/kolbrich@example.com:/bin/bash
sssd_example.com.log contains: (Wed Mar 25 14:36:53 2020) [sssd[be[example.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [kolbrich@example.com].
LDAP looks fine: root@slde0009 ~ # ldapsearch -H ldap://192.168.81.1 -D administrator@example.com -b "dc=example,dc=com" -W -x '(objectClass=ldapPublicKey)' 'sshPublicKey' [...] # Kevin Olbrich, Users, DIT, MyBusiness, example.com dn: CN=Kevin Olbrich,OU=Users,OU=DIT,OU=MyBusiness,DC=example,DC=com sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClO6Jdbj7HffLDmAoXr/KU7IYn kL/DvJBodE2UdhzROkc6YNSq7Y4xcfS3wHLH8OtPupbIDURwH/XZw2dflwcjxkHgyDPIQzzA988VJ pZeT7DJ8AXx0VzZ0MfbIvksVja6eFgSbkvfU54zKloFFU0ml7UMh7WPwzY0kzhzjkiWnRLiTbERgg IeeuQCF5HZvqpIr15ss1R0DLWMsLDL32FmM7tqYQRR5DkbD1T8ALIH3VaTcJhkaiqgW6V27Ps6gK/ lEQU9JKFNxfhqF+OsK+pngnC0uppw/r265rymfsHa1SfWQxhYRuxZxafldCnZYgMs9KzGK76pziDH v3rGErCL ko@sv01.de [...]
There are some howtos for this scenario but they work at this point :-P
What am I doing wrong here?
Thank you in advance!
Kind regards Kevin
On (25/03/20 15:14), Kevin Olbrich wrote:
Hi!
I'm new to SSSD and I try to connect SSSD to my AD to manage SSH access. I set up the attribute and class on AD schema master and I can fill keys using ADUC. I've also enabled the checkbox for GC sync. My client system is debian buster.
I've joined a machine this way: realm discover EXAMPLE.COM realm join EXAMPLE.COM
My /etc/sssd/sssd.conf: [sssd] domains = example.com services = nss, sudo, ssh, pam, autofs config_file_version = 2 debug_level = 9
[ssh] debug_level = 9 ssh_use_certificate_keys = false
[domain/example.com] debug_level = 9 ad_domain = example.com krb5_realm = example.com realmd_tags = manages-system joined-with-adcli cache_credentials = False id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = domänen-benutzer
SSHD config contains: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
I can successfully login using my AD account using my password. This works flawless. When I try to retrieve my SSH keys, it does not work: root@slde0009 ~ # sss_ssh_authorizedkeys --debug 9 kolbrich root@slde0009 ~ #
Passwd works: root@slde0009 ~ # getent passwd kolbrich kolbrich:*:1753601104:1753600513:Kevin Olbrich:/home/kolbrich@example.com:/bin/bash
sssd_example.com.log contains: (Wed Mar 25 14:36:53 2020) [sssd[be[example.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [kolbrich@example.com].
You can check few lines before these lines and you should be able to see which attributes and which search base was used. Maybe you will be able to find a difference.
LDAP looks fine: root@slde0009 ~ # ldapsearch -H ldap://192.168.81.1 -D administrator@example.com -b "dc=example,dc=com" -W -x '(objectClass=ldapPublicKey)' 'sshPublicKey' [...]
sssd does not search anything using object class ldapPublicKey. It also uses a slightly different authentication method. (It uses keytab instead of administrator). But if the attribute is visible for anyone then it should not be a problem.
That might be a reason why it works from command line and does not work from sssd.
# Kevin Olbrich, Users, DIT, MyBusiness, example.com dn: CN=Kevin Olbrich,OU=Users,OU=DIT,OU=MyBusiness,DC=example,DC=com sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClO6Jdbj7HffLDmAoXr/KU7IYn kL/DvJBodE2UdhzROkc6YNSq7Y4xcfS3wHLH8OtPupbIDURwH/XZw2dflwcjxkHgyDPIQzzA988VJ pZeT7DJ8AXx0VzZ0MfbIvksVja6eFgSbkvfU54zKloFFU0ml7UMh7WPwzY0kzhzjkiWnRLiTbERgg IeeuQCF5HZvqpIr15ss1R0DLWMsLDL32FmM7tqYQRR5DkbD1T8ALIH3VaTcJhkaiqgW6V27Ps6gK/ lEQU9JKFNxfhqF+OsK+pngnC0uppw/r265rymfsHa1SfWQxhYRuxZxafldCnZYgMs9KzGK76pziDH v3rGErCL ko@sv01.de [...]
There are some howtos for this scenario but they work at this point :-P
What am I doing wrong here?
Thank you in advance!
LS
OK, I've added "ldap_user_ssh_public_key" and checked my ldap class permissions via ADSI-Edit. Instead of using the GUI, I've added the attribute and class using LDIF. Security was empty but inheritance was enabled. I disabled, enabled and saved it. Now there are entries under security.
Indeed, seems to work now! On first login I had to provide my password. On second try, it accepted my key. I stopped the service, removed the cache db and started it again. This time, key was accepted on first try.
A colleague has now stored his pubkey for his user. He will try tomorrow when replication is done. Currently only his password is accepted and I the attribute is not found (just like the problem I had). Maybe GC sync? I will know tomorrow.
Thank you once again for your help!
Kind regards Kevin
Am Mi., 25. März 2020 um 15:48 Uhr schrieb Lukas Slebodnik lslebodn@redhat.com:
On (25/03/20 15:14), Kevin Olbrich wrote:
Hi!
I'm new to SSSD and I try to connect SSSD to my AD to manage SSH access. I set up the attribute and class on AD schema master and I can fill keys using ADUC. I've also enabled the checkbox for GC sync. My client system is debian buster.
I've joined a machine this way: realm discover EXAMPLE.COM realm join EXAMPLE.COM
My /etc/sssd/sssd.conf: [sssd] domains = example.com services = nss, sudo, ssh, pam, autofs config_file_version = 2 debug_level = 9
[ssh] debug_level = 9 ssh_use_certificate_keys = false
[domain/example.com] debug_level = 9 ad_domain = example.com krb5_realm = example.com realmd_tags = manages-system joined-with-adcli cache_credentials = False id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = domänen-benutzer
SSHD config contains: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
I can successfully login using my AD account using my password. This works flawless. When I try to retrieve my SSH keys, it does not work: root@slde0009 ~ # sss_ssh_authorizedkeys --debug 9 kolbrich root@slde0009 ~ #
Passwd works: root@slde0009 ~ # getent passwd kolbrich kolbrich:*:1753601104:1753600513:Kevin Olbrich:/home/kolbrich@example.com:/bin/bash
sssd_example.com.log contains: (Wed Mar 25 14:36:53 2020) [sssd[be[example.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [kolbrich@example.com].
You can check few lines before these lines and you should be able to see which attributes and which search base was used. Maybe you will be able to find a difference.
LDAP looks fine: root@slde0009 ~ # ldapsearch -H ldap://192.168.81.1 -D administrator@example.com -b "dc=example,dc=com" -W -x '(objectClass=ldapPublicKey)' 'sshPublicKey' [...]
sssd does not search anything using object class ldapPublicKey. It also uses a slightly different authentication method. (It uses keytab instead of administrator). But if the attribute is visible for anyone then it should not be a problem.
That might be a reason why it works from command line and does not work from sssd.
# Kevin Olbrich, Users, DIT, MyBusiness, example.com dn: CN=Kevin Olbrich,OU=Users,OU=DIT,OU=MyBusiness,DC=example,DC=com sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClO6Jdbj7HffLDmAoXr/KU7IYn kL/DvJBodE2UdhzROkc6YNSq7Y4xcfS3wHLH8OtPupbIDURwH/XZw2dflwcjxkHgyDPIQzzA988VJ pZeT7DJ8AXx0VzZ0MfbIvksVja6eFgSbkvfU54zKloFFU0ml7UMh7WPwzY0kzhzjkiWnRLiTbERgg IeeuQCF5HZvqpIr15ss1R0DLWMsLDL32FmM7tqYQRR5DkbD1T8ALIH3VaTcJhkaiqgW6V27Ps6gK/ lEQU9JKFNxfhqF+OsK+pngnC0uppw/r265rymfsHa1SfWQxhYRuxZxafldCnZYgMs9KzGK76pziDH v3rGErCL ko@sv01.de [...]
There are some howtos for this scenario but they work at this point :-P
What am I doing wrong here?
Thank you in advance!
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Wed, Mar 25, 2020 at 03:14:40PM +0100, Kevin Olbrich wrote:
Hi!
I'm new to SSSD and I try to connect SSSD to my AD to manage SSH access. I set up the attribute and class on AD schema master and I can fill keys using ADUC. I've also enabled the checkbox for GC sync. My client system is debian buster.
I've joined a machine this way: realm discover EXAMPLE.COM realm join EXAMPLE.COM
My /etc/sssd/sssd.conf: [sssd] domains = example.com services = nss, sudo, ssh, pam, autofs config_file_version = 2 debug_level = 9
[ssh] debug_level = 9 ssh_use_certificate_keys = false
[domain/example.com] debug_level = 9 ad_domain = example.com krb5_realm = example.com realmd_tags = manages-system joined-with-adcli cache_credentials = False id_provider = ad
Hi,
the AD provider does not have the option ldap_user_ssh_public_key set by default because there is not attribute for ssh keys in the AD schema. Please add
ldap_user_ssh_public_key = sshPublicKey
and try again.
HTH
bye, Sumit
krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = domänen-benutzer
SSHD config contains: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
I can successfully login using my AD account using my password. This works flawless. When I try to retrieve my SSH keys, it does not work: root@slde0009 ~ # sss_ssh_authorizedkeys --debug 9 kolbrich root@slde0009 ~ #
Passwd works: root@slde0009 ~ # getent passwd kolbrich kolbrich:*:1753601104:1753600513:Kevin Olbrich:/home/kolbrich@example.com:/bin/bash
sssd_example.com.log contains: (Wed Mar 25 14:36:53 2020) [sssd[be[example.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [kolbrich@example.com].
LDAP looks fine: root@slde0009 ~ # ldapsearch -H ldap://192.168.81.1 -D administrator@example.com -b "dc=example,dc=com" -W -x '(objectClass=ldapPublicKey)' 'sshPublicKey' [...] # Kevin Olbrich, Users, DIT, MyBusiness, example.com dn: CN=Kevin Olbrich,OU=Users,OU=DIT,OU=MyBusiness,DC=example,DC=com sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClO6Jdbj7HffLDmAoXr/KU7IYn kL/DvJBodE2UdhzROkc6YNSq7Y4xcfS3wHLH8OtPupbIDURwH/XZw2dflwcjxkHgyDPIQzzA988VJ pZeT7DJ8AXx0VzZ0MfbIvksVja6eFgSbkvfU54zKloFFU0ml7UMh7WPwzY0kzhzjkiWnRLiTbERgg IeeuQCF5HZvqpIr15ss1R0DLWMsLDL32FmM7tqYQRR5DkbD1T8ALIH3VaTcJhkaiqgW6V27Ps6gK/ lEQU9JKFNxfhqF+OsK+pngnC0uppw/r265rymfsHa1SfWQxhYRuxZxafldCnZYgMs9KzGK76pziDH v3rGErCL ko@sv01.de [...]
There are some howtos for this scenario but they work at this point :-P
What am I doing wrong here?
Thank you in advance!
Kind regards Kevin _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org