On Debian 9 client the sss_ssh_authorizedkeys command returns empty list. But the ipauser has SSH key in its IPA profile setup via web UI. Debug log does not point to any error:
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [get_client_cred] (0x4000): Client creds: euid[65534] egid[65534] pid[11834]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [92][Protocol not available]. Please, consider enabling SELinux in your system. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x56353b9b65a0][18] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [ipauser][DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'ipauser' matched without domain, user is ipauser (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): using default domain [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [ipauser] from [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [DOMAIN][0x1][BE_REQ_USER][name=ipauser@DOMAIN:-] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0x56353b9b8fc0 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0x56353b9b8fc0 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x56353b9af060 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [ipauser@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56353b9bdcd0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x56353b9bdd90
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x56353b9bdcd0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x56353b9bdd90 "ltdb_timeout"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x56353b9bdcd0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56353b9b90e0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x56353b9b98e0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x56353b9b90e0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x56353b9b98e0 "ltdb_timeout"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x56353b9b90e0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [client_close_fn] (0x2000): Terminated client [0x56353b9b65a0][18]
What could be the root cause?
If you search the cache with ldbsearch -H /var/lib/sss/db/cache_domain.ldb does the user have the pubkey attribute?
On 8 Aug 2018, at 11:02, Peter Viskup via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Debian 9 client the sss_ssh_authorizedkeys command returns empty list. But the ipauser has SSH key in its IPA profile setup via web UI. Debug log does not point to any error:
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [get_client_cred] (0x4000): Client creds: euid[65534] egid[65534] pid[11834]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [92][Protocol not available]. Please, consider enabling SELinux in your system. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x56353b9b65a0][18] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [ipauser][DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'ipauser' matched without domain, user is ipauser (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): using default domain [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [ipauser] from [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [DOMAIN][0x1][BE_REQ_USER][name=ipauser@DOMAIN:-] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0x56353b9b8fc0 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0x56353b9b8fc0 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x56353b9af060 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [ipauser@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56353b9bdcd0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x56353b9bdd90
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x56353b9bdcd0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x56353b9bdd90 "ltdb_timeout"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x56353b9bdcd0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56353b9b90e0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x56353b9b98e0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x56353b9b90e0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x56353b9b98e0 "ltdb_timeout"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x56353b9b90e0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [client_close_fn] (0x2000): Terminated client [0x56353b9b65a0][18]
What could be the root cause?
-- Peter _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
No the pubkey attribute is not there. Tried to clean/invalidate the cache, but didn't help. This is the complete cache entry:
dn: name=ipauser@domain,cn=users,cn=domain,cn=sysdb createTimestamp: 1517403271 fullName: Ipa User gecos: Ipa User gidNumber: 1462000031 homeDirectory: /home/ipauser loginShell: /bin/bash name: ipauser@domain objectClass: user uidNumber: 1462000031 originalDN: uid=ipauser,cn=users,cn=accounts,dc=domain,dc=com userPrincipalName: ipauser@domain mail: ipauser@domain.com nameAlias: ipauser@domain memberof: name=nou-jumpis-users@domain,cn=groups,cn=domain,cn=sysdb memberof: name=ou-internal-security@domain,cn=groups,cn=domain,cn=sysdb memberof: name=nou-internal-security-builders@domain,cn=groups,cn=domain,cn=sysdb initgrExpireTimestamp: 1517403331 originalMemberOf: cn=nou-internal-security-builders,cn=groups,cn=accounts,dc=domain,dc=com originalMemberOf: ipaUniqueID=e341f66a-e4c9-11e7-b40b-005056ab0ca4,cn=sudorules,cn=sudo,dc=domain,dc=com originalMemberOf: cn=ou-internal-security,cn=groups,cn=accounts,dc=domain,dc=com originalMemberOf: ipaUniqueID=5acc123e-d5b5-11e7-9af8-005056ab0ca4,cn=hbac,dc=domain,dc=com originalMemberOf: cn=nou-jumpis-users,cn=groups,cn=accounts,dc=domain,dc=com originalMemberOf: ipaUniqueID=dd273a22-d5b7-11e7-88bc-005056ab0ca4,cn=hbac,dc=domain,dc=com originalMemberOf: ipaUniqueID=4af6ee94-d5bd-11e7-9d4a-005056ab0ca4,cn=hbac,dc=domain,dc=com originalMemberOf: ipaUniqueID=3a9d728a-e4c6-11e7-88bc-005056ab0ca4,cn=sudorules,cn=sudo,dc=domain,dc=com originalMemberOf: ipaUniqueID=d03e4b9a-fc4d-11e7-a5c4-005056ab0ca4,cn=sudorules,cn=sudo,dc=domain,dc=com originalMemberOf: ipaUniqueID=43cb7646-1198-11e8-891e-005056ab0ca4,cn=hbac,dc=domain,dc=com ccacheFile: FILE:/tmp/krb5cc_1462000031_Aqw31Q krbLastPwdChange: 20180530070315Z krbPasswordExpiration: 20180828070315Z originalModifyTimestamp: 20180808100017Z entryUSN: 252945251 lastUpdate: 1533722422 dataExpireTimestamp: 1533722482 distinguishedName: name=ipauser@domain,cn=users,cn=domain,cn=sysdb
# returned 1 records # 1 entries # 0 referrals
On Thu, Aug 9, 2018 at 9:18 AM, Jakub Hrozek jhrozek@redhat.com wrote:
If you search the cache with ldbsearch -H /var/lib/sss/db/cache_domain.ldb does the user have the pubkey attribute?
On 8 Aug 2018, at 11:02, Peter Viskup via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Debian 9 client the sss_ssh_authorizedkeys command returns empty list. But the ipauser has SSH key in its IPA profile setup via web UI. Debug log does not point to any error:
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [get_client_cred] (0x4000): Client creds: euid[65534] egid[65534] pid[11834]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [92][Protocol not available]. Please, consider enabling SELinux in your system. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x56353b9b65a0][18] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [ipauser][DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'ipauser' matched without domain, user is ipauser (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): using default domain [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [ipauser] from [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [DOMAIN][0x1][BE_REQ_USER][name=ipauser@DOMAIN:-] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0x56353b9b8fc0 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0x56353b9b8fc0 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x56353b9af060 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [ipauser@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56353b9bdcd0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x56353b9bdd90
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x56353b9bdcd0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x56353b9bdd90 "ltdb_timeout"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x56353b9bdcd0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56353b9b90e0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x56353b9b98e0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x56353b9b90e0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x56353b9b98e0 "ltdb_timeout"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x56353b9b90e0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [client_close_fn] (0x2000): Terminated client [0x56353b9b65a0][18]
What could be the root cause?
-- Peter _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
OK, then no wonder sssd can’t see load the attributes. Are the attributes present in the user entry? If you call ipa user-show you should see them.
If the attributes are there, but are not saved, then the sssd domain logs might have an idea what went wrong.
On 9 Aug 2018, at 10:44, Peter Viskup skupko.sk@gmail.com wrote:
No the pubkey attribute is not there. Tried to clean/invalidate the cache, but didn't help. This is the complete cache entry:
dn: name=ipauser@domain,cn=users,cn=domain,cn=sysdb createTimestamp: 1517403271 fullName: Ipa User gecos: Ipa User gidNumber: 1462000031 homeDirectory: /home/ipauser loginShell: /bin/bash name: ipauser@domain objectClass: user uidNumber: 1462000031 originalDN: uid=ipauser,cn=users,cn=accounts,dc=domain,dc=com userPrincipalName: ipauser@domain mail: ipauser@domain.com nameAlias: ipauser@domain memberof: name=nou-jumpis-users@domain,cn=groups,cn=domain,cn=sysdb memberof: name=ou-internal-security@domain,cn=groups,cn=domain,cn=sysdb memberof: name=nou-internal-security-builders@domain,cn=groups,cn=domain,cn=sysdb initgrExpireTimestamp: 1517403331 originalMemberOf: cn=nou-internal-security-builders,cn=groups,cn=accounts,dc=domain,dc=com originalMemberOf: ipaUniqueID=e341f66a-e4c9-11e7-b40b-005056ab0ca4,cn=sudorules,cn=sudo,dc=domain,dc=com originalMemberOf: cn=ou-internal-security,cn=groups,cn=accounts,dc=domain,dc=com originalMemberOf: ipaUniqueID=5acc123e-d5b5-11e7-9af8-005056ab0ca4,cn=hbac,dc=domain,dc=com originalMemberOf: cn=nou-jumpis-users,cn=groups,cn=accounts,dc=domain,dc=com originalMemberOf: ipaUniqueID=dd273a22-d5b7-11e7-88bc-005056ab0ca4,cn=hbac,dc=domain,dc=com originalMemberOf: ipaUniqueID=4af6ee94-d5bd-11e7-9d4a-005056ab0ca4,cn=hbac,dc=domain,dc=com originalMemberOf: ipaUniqueID=3a9d728a-e4c6-11e7-88bc-005056ab0ca4,cn=sudorules,cn=sudo,dc=domain,dc=com originalMemberOf: ipaUniqueID=d03e4b9a-fc4d-11e7-a5c4-005056ab0ca4,cn=sudorules,cn=sudo,dc=domain,dc=com originalMemberOf: ipaUniqueID=43cb7646-1198-11e8-891e-005056ab0ca4,cn=hbac,dc=domain,dc=com ccacheFile: FILE:/tmp/krb5cc_1462000031_Aqw31Q krbLastPwdChange: 20180530070315Z krbPasswordExpiration: 20180828070315Z originalModifyTimestamp: 20180808100017Z entryUSN: 252945251 lastUpdate: 1533722422 dataExpireTimestamp: 1533722482 distinguishedName: name=ipauser@domain,cn=users,cn=domain,cn=sysdb
# returned 1 records # 1 entries # 0 referrals
On Thu, Aug 9, 2018 at 9:18 AM, Jakub Hrozek jhrozek@redhat.com wrote:
If you search the cache with ldbsearch -H /var/lib/sss/db/cache_domain.ldb does the user have the pubkey attribute?
On 8 Aug 2018, at 11:02, Peter Viskup via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Debian 9 client the sss_ssh_authorizedkeys command returns empty list. But the ipauser has SSH key in its IPA profile setup via web UI. Debug log does not point to any error:
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [get_client_cred] (0x4000): Client creds: euid[65534] egid[65534] pid[11834]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [92][Protocol not available]. Please, consider enabling SELinux in your system. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x56353b9b65a0][18] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [ipauser][DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'ipauser' matched without domain, user is ipauser (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): using default domain [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [ipauser] from [DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [DOMAIN][0x1][BE_REQ_USER][name=ipauser@DOMAIN:-] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0x56353b9b8fc0 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0x56353b9b8fc0 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x56353b9af060 (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [ipauser@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56353b9bdcd0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x56353b9bdd90
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x56353b9bdcd0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x56353b9bdd90 "ltdb_timeout"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x56353b9bdcd0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56353b9b90e0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x56353b9b98e0
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x56353b9b90e0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x56353b9b98e0 "ltdb_timeout"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x56353b9b90e0 "ltdb_callback"
(Wed Aug 8 10:54:01 2018) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x56353a7ea5f0:1:ipauser@DOMAIN@DOMAIN] (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Wed Aug 8 10:54:01 2018) [sssd[ssh]] [client_close_fn] (0x2000): Terminated client [0x56353b9b65a0][18]
What could be the root cause?
-- Peter _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org