On Thu, Nov 03, 2016 at 04:35:30PM +0200, Taras Drach wrote: > Hello everyone! > > I want to implement next scheme: > > 1. Use AD as place for user management > 2. Store ssh public keys in AD > 3. Use FreeIPA as sudo/hbac provider for AD groups for authentication and > authorisation on the linux hosts > 4. Use trusts roadmap (do not want to synchronise) > > My configuration is: > AD domain - test.loc - windows server 2012 r2 > IPA domain - ipa.test.loc - ipa-server 4.2.0 on centos 7 (ipa-server.x86_64 > 4.2.0-15.0.1.el7.centos.19 @updates) > > At this moment everything fine except SSH public keys. > > I tried to use override and it works fine (I can login to linux host with AD > user with public key), but I have to create view in ipa for each user from > AD. It is not my goal and its also create inconveniences. > > I found that there are several ways to achieve desired configuration: > 1. Extend AD scheme with sshPublicKey attribute > 2. Use altSecurityIdentities attribute from AD > > At this moment I can obtain ssh public key from ipa for user by > sss_ssh_authorizedkeys -d ipa.test.loc user or > sss_ssh_authorizedkeys user, because ipa.test.loc is default domain > > But I can’t receive key for AD user using this command > sss_ssh_authorizedkeys -d test.loc > > At this moment I try to obtain key via altSecurityIdentities, and I see this > key in sssd debug log when I run sss_ssh_authorizedkeys, but I can not see > public key on stdout > Here is the part if log > - ... > > > Here is my sssd.conf for ipa domain > > domain/ipa.test.loc] > debug_level = 0xfff0 > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ipa.test.loc > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa42.ipa.test.loc > chpass_provider = ipa > ipa_server = ipa42.ipa.test.loc > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > create_homedir = True > ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
SSH public keys must must be stored with the attribute name 'sshPublicKey' in SSSD's cache, please try ldap_user_extra_attrs = sshPublicKey:altSecurityIdentities > ldap_user_ssh_public_key = altSecurityIdentities > ldap_id_mapping = False > > > HTH bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
