On Fri, Sep 09, 2016 at 09:57:08PM +0000, Ilya Kogan wrote:
Oh that was perfect, thank you. Adding `debug_level=9` revealed
"[sssd[ssh]]
[cert_to_ssh_key] (0x0020): > CERT_VerifyCertificateNow failed [-8179]."
which lead me to
https://www.redhat.com/archives/freeipa-users/2016-July/msg00290.html.
Adding "ca_db = /etc/ipa/nssdb" to the ssh section in sssd.conf fixed it.
I'm a little annoyed that I didn't find that thread earlier.
fyi, in sssd-1.14
https://fedorahosted.org/sssd/ticket/2977 is fixed and
invalid certificates are just skipped and do not cause an error anymore.
bye,
Sumit
--
Ilya Kogan
On Fri, Sep 9, 2016 at 5:44 PM Lukas Slebodnik <lslebodn(a)redhat.com> wrote:
> On (09/09/16 21:20), Ilya Kogan wrote:
> >Hi,
> >
> >As of earlier today, a perfectly working set of systems lost their
> ability to login through FreeIPA managed SSH Keys. FreeIPA was upgraded
> yesterday to 4.3.1 and everything continued to work. Now, when I attempt to
> login using public keys, I get:
> >
> >error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys kogan
> failed, status 1
> >
> >If I then do `/usr/bin/sss_ssh_authorizedkeys --debug 10 kogan`, I get
> "sss_ssh_authorizedkeys[7413]: sss_ssh_get_ent() failed (14): Bad
address".
> it seems very similar to
https://fedorahosted.org/freeipa/ticket/2657,
> but the DNS records haven't changed as far as I know and the issue was
> supposedly fixed in much earlier versions of sssd.
> >
> >This is running on Fedora 23 with the following possibly relevant package
> version:
> >
> >freeipa-server: 4.3.1-1.fc23
> >sssd: 1.13.4-4.fc23
> >openssh-server: 7.2p2-3.fc23
> >
> >What further steps can I take to troubleshoot this short of installing
> debugging symbols?
> >
> Did it just fail or also ther is a crash?
>
> In case of crash you can run with valgrind.
>
> You can add debug_level=9 into ssh section of sssd.conf
> and try to find errors in relate log file.
>
> LS
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
>
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org