On Wed, Jun 20, 2018 at 01:15:24PM -0000, Bart via FreeIPA-users wrote:
Hi all,
I have set up ipa server, established trust with an ad controller and enrolled a couple
of clients to it.
I have a problem understanding how to properly set up ssh pubkey authentication when it
comes to caching.
The issue is that when I upload the key to the server (via the web ui, for an AD user)
and later delete this key (also via the web UI) I still can log in on a client machine for
a couple of days using my private ssh key part. The command sss_ssh_authorizedkeys ad_user
shows the correct key on both server and a client. Even after I delete manually cache
files on the client, then sss_ssh_authorizedkeys displays the correct key.
Which version of SSSD are you using? The issue sounds like
https://pagure.io/SSSD/sssd/issue/3602.
bye,
Sumit
>
> In a trial and error process of debugging it I added entry_cache_user_timeout = 60 to
every section of sssd.conf on a client but it did not change much the situation described
above.
>
> I assume that this is due to the caching settings on the server side (I guess user
entries are still present in the sssd cache yet they are not visible in the web ui).
> Can someone please point me to the sssd cache settings that would cause ssh keys to
stop from working within a reasonable time after they were deleted?
> Below I paste sanitized sssd config for the server:
>
> [domain/ipa.domain/ad.domain]
> debug_level = 10
> # Enable short names without full domain
> use_fully_qualified_names = False
> ad_server = ad-1.ad.domain,ad-2.ad.domain
> #cache_first = True
>
> [domain/ipa.domain]
> ad_server = ad-1.ad.domain,ad-2.ad.domain
> debug_level = 10
> id_provider = ipa
> ipa_server_mode = True
> ipa_server = ipa-server.ipa.domain
> ipa_domain = ipa.domain
> ipa_hostname = ipa-server.ipa.domain
> auth_provider = ipa
> chpass_provider = ipa
> access_provider = ipa
> cache_credentials = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> krb5_store_password_if_offline = True
>
> enumerate = False
> subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
> ignore_group_members = True
> ldap_purge_cache_timeout = 0
> #cache_first = True
>
> [sssd]
> debug_level = 10
> domain_resolution_order = ad.domain, ipa.domain
> services = nss, pam, ifp, ssh, sudo
> domains = ipa.domain
>
> [nss]
> debug_level = 10
> filter_users = root,fedora
>
> homedir_substring = /home
> memcache_timeout = 600
> entry_negative_timeout = 3600
> override_shell = /bin/bash
> override_homedir = /home/%u
> homedir_substring = /home
>
>
>
> [pam]
> debug_level = 10
>
> [sudo]
> debug_level = 10
>
> [autofs]
> debug_level = 10
>
> [ssh]
> debug_level = 10
>
> [pac]
> debug_level = 10
>
> [ifp]
> debug_level = 10
>
> [secrets]
> debug_level = 10
>
> [session_recording]
> debug_level = 10
>
> and the client:
>
> [domain/ipa.domain/ad.domain]
> entry_cache_user_timeout = 60
> debug_level = 10
> # Enable short names without full domain
> use_fully_qualified_names = False
> subdomain_homedir = /home/%u
> selinux_provider = none
> ad_enable_gc = false
> ad_server = ad-1.ad.domain,ad-2.ad.domain
>
>
> [domain/ipa.domain]
> entry_cache_user_timeout = 60
> debug_level = 9
> ad_enable_gc = false
> subdomain_homedir = /home/%u
> # Optimization
> selinux_provider = none
> subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
> ignore_group_members = True
> cache_first = True
> ldap_purge_cache_timeout = 0
> ldap_sudo_smart_refresh_interval = 60
> ldap_sudo_full_refresh_interval = 21600
>
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.domain
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipa-client.ipa.domain
> chpass_provider = ipa
> ipa_server = _srv_, ipa-server.ipa.domain
> dns_discovery_domain = ipa.domain
> [sssd]
> entry_cache_user_timeout = 60
> domain_resolution_order = ad.domain,ipa.domain
> services = nss, sudo, pam, ssh
>
> domains = ipa.domain
> entry_cache_user_timeout = 60
> [nss]
> entry_cache_user_timeout = 60
> override_shell = /bin/bash
> override_homedir = /home/%u
> filter_users = root,fedora
> homedir_substring = /home
>
> [pam]
> entry_cache_user_timeout = 60
> debug_level = 9
>
> [sudo]
> entry_cache_user_timeout = 60
> debug_level = 9
>
> [autofs]
>
> [ssh]
> entry_cache_user_timeout = 60
> debug_level = 9
>
> [pac]
> debug_level = 9
>
>
> [ifp]
> debug_level = 9
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...