On Fri, Oct 21, 2016 at 01:55:19PM +0100, lejeczek wrote: > hi all > > I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB > (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) > I realize that to assume versions differences cause it is bit silly but > nothing changed except update of boxB's IPA a day before the problem occur. > Also, there is a boxC (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so > boxB == boxC IPA-wise) which does ssh in fine. > Other way around, boxB to boxA ssh works. > Logs are pretty quiet, I merely see: > > error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status > 1 > > and that I'm not sure appears at the time of login attempt. > I do: > boxA$ ssh boxB > Connection closed by UNKNOWN > > ps. boxA is not banned nor block by any tcp/ip means. > > many! thanks for any help
Which version of SSSD is running? Do you have user certificates stored in IPA? In this case you might hit https://bugzilla.redhat.com/show_bug.cgi?id=1372042 https://fedorahosted.org/sssd/ticket/2977 If there are no updates with a fix available you might want to set ldap_user_certificate = noSuchSttribute in the [domain/...] section of sssd.conf to tell SSSD to not read the certificates from the server. As an alternative you can all CA certificates needed to validate the user certificates properly to /etc/pki/nssdb. HTH bye, Sumit > L. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
