Hi.
On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via
FreeIPA-users:
the keys are only derived form the certificate is the certificate can be
validated. Have you copied all needed CA certificates to the new machine
and made SSSD aware of it?
Indeed, it was a problem with validation. I've originally created a
symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt .
However, this resulted in SELinux denial:
----
time->Thu Sep 23 15:35:28 2021
type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for
pid=1555510 comm="p11_child" name="sssd_auth_ca_db.pem"
dev="nvme0n1p2"
ino=421 scontext=system_u:system_r:sssd_t:s0
tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
After copying the certificate, instead of symlinking it,
sss_ssh_authorizedkeys works correctly and reports public keys from
certificates too.
While here, I have a suggestion. Could ipa-client-install also add the
CA certificate to sssd's PKI directory?
Currently to make this useful functionality work, manual intervention is
necessary after running ipa-client-install (just having the cert in
/etc/ipa/ca.crt is not enough for p11_child to perform validation).
Best regards,
Radoslaw