Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot have more than one line on sshPublicKey #7753

Open
dariosusman opened this issue Dec 6, 2024 · 10 comments
Open

Cannot have more than one line on sshPublicKey #7753

dariosusman opened this issue Dec 6, 2024 · 10 comments

Comments

@dariosusman
Copy link

dariosusman commented Dec 6, 2024

Greetings,

I've been trying to get SSSD to work with multiple SSH public keys but couldn't.

Debian 12, sssd 2.8.2-4.

If sshPublicKey has more than one line, sssd simply does not save the record.

   *  (2024-12-06 14:54:39): [be[<DOMAIN>]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] Adding sshPublicKey [<SSH PUBKEY>] to attributes of [dsusman@<DOMAIN>].
   *  (2024-12-06 14:54:39): [be[<DOMAIN>]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] Adding sshPublicKey [<SSH PUBKEY>] to attributes of [dsusman@<DOMAIN>].
   *  (2024-12-06 14:54:39): [be[<DOMAIN>]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] authType is not available for [dsusman@<DOMAIN>].
   *  (2024-12-06 14:54:39): [be[<DOMAIN>]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] userCertificate is not available for [dsusman@<DOMAIN>].
   *  (2024-12-06 14:54:39): [be[<DOMAIN>]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] Adding mail [dsusman@<DOMAIN>] to attributes of [dsusman@<DOMAIN>].
   *  (2024-12-06 14:54:39): [be[<DOMAIN>]] [sdap_save_user] (0x0400): [RID#3] Storing info for user dsusman@<DOMAIN>
   *  (2024-12-06 14:54:39): [be[<DOMAIN>]] [sysdb_ldb_msg_difference] (0x2000): [RID#3] Replaced/extended attr [sshPublicKey] of entry [name=dsusman@<DOMAIN>,cn=users,cn=<DOMAIN>,cn=sy
sdb]
   *  (2024-12-06 14:54:39): [be[<DOMAIN>]] [sysdb_set_cache_entry_attr] (0x0080): [RID#3] ldb_modify failed: [Attribute or value exists](20)[attribute 'sshPublicKey': value '<SSH PUBKEY>' on 'name=dsusman@<DOMAIN>,cn=users,cn=<DOMAIN>,cn=sysdb' provided more than once in REPLACE]

I've got to different ssh public keys I'd like to add, but looks like sssd won't have it.
The only workaround was to have

ldap_user_ssh_public_key = phoneNumber

on the domain section in sssd.conf set.

Thank you.

Best regards,

Dario Susman

@sumit-bose
Copy link
Contributor

Hi,

it looks like the error is about adding the same ssh key multiple times. Is, by chance, the same key shown in the two Adding sshPublicKey lines?

bye,
Sumit

@dariosusman
Copy link
Author

Hi Sumit!
Google LDAP has only two different keys, but SSSD shows as if it's the same duplicated. Which is rather odd.
Doing an ldapsearch returns the two different sshPublicKey lines.

@sumit-bose
Copy link
Contributor

Hi,

this sounds like an Google specific behavior and support for this might come from the stalled PR #7116.

Do you have the chance to build SSSD with this patch for testing?

bye,
Sumit

@dariosusman
Copy link
Author

Hi Sumit.

I can give it a shot.

I'll get back to you when I'm done.

Best regards,
Dario Susman

@sumit-bose
Copy link
Contributor

Hi Sumit.

I can give it a shot.

I'll get back to you when I'm done.

Hi,

great, thank you.

bye,
Sumit

Best regards, Dario Susman

@dariosusman
Copy link
Author

Had to make a change to configure.ac

      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: error: /usr/bin/autoconf failed with exit status: 1

Replaced line 20 with:
m4_pattern_allow([^AC_DISABLE_STATIC$])

Running it seems not to work at all.... I don't know why. I can't say I ever compiled sssd manually, so there might be something I missed.

(2024-12-11 14:23:56): [sssd] [server_setup] (0x3f7c0): Starting with debug level = 0x01f0
(2024-12-11 14:23:56): [sssd] [sss_names_init_from_args] (0x0100): Using re [^((?P<name>.+)@(?P<domain>[^@]+)|(?P<name>[^@]+))$].
(2024-12-11 14:23:56): [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2024-12-11 14:23:56): [sssd] [server_loop] (0x3f7c0): Entering main loop under uid=0 (euid=0) : gid=0 (egid=0) with SECBIT_KEEP_CAPS = 0 and following capabilities:
libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/sbin" ldconfig -n /usr/local/lib/python3.11/site-packages
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/lib/python3.11/site-packages

If you ever happen to want to link against installed libraries
   (nothing)
(2024-12-11 14:23:56): [sssd] [get_provider_config] (0x0100): Formed command '/usr/local/libexec/sssd/sssd_be --domain <DOMAIN> --logger=stderr' for provider '%BE_<DOMAIN>'
(2024-12-11 14:23:56): [sssd] [start_service] (0x0100): Queueing service <DOMAIN> for startup
ldb: unable to dlopen /usr/lib/x86_64-linux-gnu/samba/ldb/memberof.a : /usr/lib/x86_64-linux-gnu/samba/ldb/memberof.a: invalid ELF header
ldb: unable to dlopen /usr/lib/x86_64-linux-gnu/samba/ldb/memberof.la : /usr/lib/x86_64-linux-gnu/samba/ldb/memberof.la: invalid ELF header
(2024-12-11 14:23:56): [be[<DOMAIN>]] [server_setup] (0x3f7c0): Starting with debug level = 0x00f0
(2024-12-11 14:23:56): [be[<DOMAIN>]] [dp_module_open_lib] (0x0010): Unable to load module [ldap] with path [/usr/local/lib/sssd/libsss_ldap.so]: libsss_idmap.so.0: cannot ope
n shared object file: No such file or directory
(2024-12-11 14:23:56): [be[<DOMAIN>]] [dp_load_module] (0x0020): Unable to create DP module.
(2024-12-11 14:23:56): [be[<DOMAIN>]] [dp_target_init] (0x0010): Unable to load module ldap
(2024-12-11 14:23:56): [be[<DOMAIN>]] [dp_load_targets] (0x0020): Unable to load target [id] [80]: Accessing a corrupted shared library.
(2024-12-11 14:23:56): [be[<DOMAIN>]] [dp_init] (0x0020): Unable to initialize DP targets [1432158209]: Internal Error
(2024-12-11 14:23:56): [be[<DOMAIN>]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error
(2024-12-11 14:23:56): [be[<DOMAIN>]] [main] (0x0010): Could not initialize backend [1432158209]
(2024-12-11 14:23:56): [sssd] [svc_child_info] (0x0040): Child [3136859] ('<DOMAIN>':'%BE_<DOMAIN>') exited with code [3]

File is present, though.

# ls -l /usr/local/lib/sssd/libsss_ldap.so
-rwxr-xr-x 1 root root 78880 Dec 11 14:02 /usr/local/lib/sssd/libsss_ldap.so
# sha256sum /usr/local/lib/sssd/libsss_ldap.so
0e4717cce0c0da9a04142b7cc9de47fa6b458a238a7e26ab61ab3dd87caa307e  /usr/local/lib/sssd/libsss_ldap.so
#

Rather disappointing :\

@sumit-bose
Copy link
Contributor

Hi,

which version of autoconf are you using and with which options are you calling autoreconf?

bye,
Sumit

@dariosusman
Copy link
Author

# autoconf --version
autoconf (GNU Autoconf) 2.71

I did run autoreconf as shown in https://sssd.io/contrib/building-sssd.html
autoreconf -if

I did also use a flag for configure, ./configure --with-smb-idmap-interface-version=5 because it was unable to find the idmap-samba libraries.

Other than that, no joy. I had to remove the stuff from the server I was trying this on. I'm afraid I would be able to test this on a personal VM, perhaps.

@sumit-bose
Copy link
Contributor

Hi,

I should have used the scroll-bar to scroll to the end of the line. If is not about libsss_ldap.so itself but that the dependency libsss_idmap.so.0 cannot be found. I guess this is installed in /usr/local/lib. Is this directory in your default library search path, if not maybe setting LD_LIBRARY_PATH=/usr/local/lib when starting SSSD might help.

bye,
Sumit

@dariosusman
Copy link
Author

Yeah, the LD_LIBRARY_PATH already included /usr/local/lib. Still, I shall have to try this all again on a separate VM and try again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants