On Fri, Sep 09, 2016 at 09:57:08PM +0000, Ilya Kogan wrote:
> Oh that was perfect, thank you. Adding `debug_level=9` revealed "[sssd[ssh]]
> [cert_to_ssh_key] (0x0020): > CERT_VerifyCertificateNow failed [-8179]."
> which lead me to
>
https://www.redhat.com/archives/freeipa-users/2016-July/msg00290.html.
> Adding "ca_db = /etc/ipa/nssdb" to the ssh section in sssd.conf fixed it.
> I'm a little annoyed that I didn't find that thread earlier.
fyi, in sssd-1.14
https://fedorahosted.org/sssd/ticket/2977 is fixed and
invalid certificates are just skipped and do not cause an error anymore.