My IPA clients are unable to perform public key/certificate based authentication of Active Directory users. The AD users are in the Default Trust View, where their PIV certificate is populated. Everything worked fine last week after I upgraded to CentOS 7.7 and sssd 1.16.4.21. The issue only appeared after a user's PIV certificate was updated (which was subsequently uploaded into the Default Trust View replacing their previous certificate). AD users ARE able to authenticate via certificate/PIV card to the IPA Servers; I can also kinit as an AD user from an IPA client, however the "id <ad_user>" command produces a "no such user" message (correctly resolves the AD user on the IPA servers, though).
AD user cannot login to IPA client via ssh.
AD user successfully establishes an ssh login to the IPA client.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server On Client: ipa-client-4.6.5-11.el7.centos.x86_64
On Server: ipa-server-4.6.5-11.el7.centos.x86_64 ipa-client-4.6.5-11.el7.centos.x86_64 389-ds-base-1.3.9.1-10.el7.x86_64 pki-ca-10.5.16-3.el7.noarch krb5-server-1.15.1-37.el7_7.2.x86_64
I have a feeling that the issue is somewhere in SSSD, but I'm raising the issue here in case I'm wrong. Testing has shown that the sss_ssh_authorizedkeys function (when run on IPA clients) CAN identify IPA users that have keys or certificates associated with their account, but fails to match any users identified in the AD trust. The same function works correctly and identifies the AD users when run on the IPA servers.
Hi,
this is most probably a SSSD issue.
It looks like SSSD on the client cannot resolve the user from the trusted AD domain. Since the IPA clients will ask the IPA server for this data it would be first good to know how the id <aduser> output looks on the server.
id <aduser>
Next would be to increase the debug_level in sssd.conf on the client to find out at which step ti fails.
I think it would be easier if you can open a new ticket on https://pagure.io/SSSD/sssd/new_issue and close this one here.
bye, Sumit
Thanks Sumit. I'll do that.
Closing and opening issue #4096 at sssd.
Metadata Update from @mpreissner: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.