Radoslaw Kujawa via FreeIPA-users wrote:
Hi.
On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
> Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via
> FreeIPA-users:
>
> the keys are only derived form the certificate is the certificate can be
> validated. Have you copied all needed CA certificates to the new machine
> and made SSSD aware of it?
>
Indeed, it was a problem with validation. I've originally created a
symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt .
However, this resulted in SELinux denial:
----
time->Thu Sep 23 15:35:28 2021
type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for
pid=1555510 comm="p11_child" name="sssd_auth_ca_db.pem"
dev="nvme0n1p2"
ino=421 scontext=system_u:system_r:sssd_t:s0
tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
After copying the certificate, instead of symlinking it,
sss_ssh_authorizedkeys works correctly and reports public keys from
certificates too.
While here, I have a suggestion. Could ipa-client-install also add the
CA certificate to sssd's PKI directory?
Feel free to open an RFE at
https://pagure.io/freeipa/new_issue
rob
Currently to make this useful functionality work, manual intervention is
necessary after running ipa-client-install (just having the cert in
/etc/ipa/ca.crt is not enough for p11_child to perform validation).
Best regards,
Radoslaw
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure