Lukas Slebodnik skrev den 2015-08-25 11:51:
On (22/08/15 15:32), Davor Vusir wrote:
Jakub Hrozek skrev den 2015-08-20 22:23:
quick top-post
I'll be on vacacation starting tomorrow and the whole next week. I hope some of the other sssd developers can help you out.
tl;dr the public key should be set in ldap_user_ssh_public_key
It is.
See https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-i... for some performance tips.
Thank you. The tips did make difference.
Sorry for being terse.
Not at all.
But I'm really curious about the reasons behind SSSD failing to retrieve the public key when deactivating subdomains_provider. In our case, as we don't have subdomains but forest trusts which SSSD doesn't support, we've got no reason having subdomains_provider activated to enumerate them (the trusted forests). It would be interesting to know why forest trusts are enumerated in the first place.
In previous mail, you provided log files from ssh responder, which just tried to look up cached ssh key in sssd cache But we would need to see a different log file to confirm whether public ssh key was retrieved from LDAP/AD.
Please:
- clear old log files and sssd cache
rm /var/log/sssd/sssd_ad.example.org
- increase debug_level in domain section to 9
- restart sssd
service sssd stop && rm -Rf /var/lib/sss/db/* && rm -Rf /var/lib/sss/mc/* && service sssd start
- call "getent passwd user_with_ssh_key_in_ad"
myloginid:*:10051785:10000513:Davor Vusir:/home/myloginid:/bin/bash
- provide log files from domain section.
I guess that this is the part you are interested in: (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sdap_get_primary_name] (0x0400): Processing object myLoginID (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sdap_save_user] (0x0400): Processing user myLoginID (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sdap_save_user] (0x2000): Adding originalDN [CN=Davor Vusir,OU=Admins,OU=CT,DC=ad,DC=example,DC=org] to attributes of [myLoginID]. (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [myLoginID]. (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20150817101423.0Z] to attributes of [myLoginID]. (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sdap_save_user] (0x0400): Adding user principal [myLoginID@AD.EXAMPLE.ORG] to attributes of [myLoginID]. ... (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding sshPublicKey [c3NoLXJzYSBaPUFaRjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFETEw0MTZHQzFaVFBzVXpjS01Zbm5QSjNaZG1xWUZLTDArQ05adTQyT0U4ZDZKNFlNR1I0YmcwWUpuVFhhRUI1NWRvazJMV2tBKzlka0R5SFFJSzVxVEk4N09rSzZERWxNSGpPVDhESWlvNVVBUGo3Y1BYNGs4TjJYM0VlaS9FM0o3c1pyeDM5bWtZOSsrNkJXRGJMa084VlJOejhFT2JhUVZEK3pUTy9HWUltTmpFWHhwMzVCd3BES2xEa21BdXVud21KK1RNU2RHWWVEaFp6N25Nd0dVTmh2YmloTkU1N3IrcDhXS2MxVExDQW1TN3IyTE9jNWZPaUp4QmVFRENrVHlvamRQWkl1dkZudzBkZ25UMkRuaFBZcXVNeGJSU0F1WVVhYVpVNUFVUWlPQW1HRGlKVG5IVjczYzY0N09xWnJjbktZSTJ1SEJ6R1BGZXA3dWJ6Q2Y=] to attributes of [myLoginID]. (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [myLoginID]. (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding altSecurityIdentities [c3NoLXJzYSBStUFStjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFETEw0MTZHQzFaVFBzVXpjS01Zbm5QSjNaZG1xWUZLTDArQ05adTQyT0U4ZDZKNFlNR1I0YmcwWUpuVFhhRUI1NWRvazJMV2tBKzlka0R5SFFJSzVxVEk4N09rSzZERWxNSGpPVDhESWlvNVVBUGo3Y1BYNGs4TjJYM0VlaS9FM0o3c1pyeDM5bWtZOSsrNkJXRGJMa084VlJOejhFT2JhUVZEK3pUTy9HWUltTmpFWHhwMzVCd3BES2xEa21BdXVud21KK1RNU2RHWWVEaFp6N25Nd0dVTmh2YmloTkU1N3IrcDhXS2MxVExDQW1TN3IyTE9jNWZPaUp4QmVFRENrVHlvamRQWkl1dkZudzBkZ25UMkRuaFBZcXVNeGJSU0F1WVVhYVpVNUFVUWlPQW1HRGlKVG5IVjczYzY0N09xWnJjbktZSTJ1SEJ6R1BGZXA3dWJ6Q2Y=] to attributes of [myLoginID]. (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Tue Aug 25 18:29:50 2015) [sssd[be[ad.example.org]]] [sdap_save_user] (0x0400): Storing info for user myLoginID
[sssd] debug_level = 0 # Levels = 0-9
BTW in this case it's not a big problem; but in other options it can cause headaches while troubleshooting.
The part after character "#" is not considered as a comment. The comment have to start this character "#" at the begining of line.
I see. Thank you for mentioning it. Removed now.
Regards Davor
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users