I'm running a server with CentOS 7.4.1708 and all patches applied. sssd is version 1.15.2.
I have a working sssd setup which enables me to sign in using SSH public keys stored in Active Directory.
The config
The instance is successfully joined and this is my /etc/sssd/sssd.conf
:
[sssd]
domains = EXAMPLE.COM
default_domain_suffix = EXAMPLE.COM
config_file_version = 2
debug_level = 7
services = nss, pam, ssh
[domain/EXAMPLE.COM]
ad_domain = EXAMPLE.COM
debug_level = 7
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ldap_user_ssh_public_key = sshPublicKey
ad_access_filter = DOM:EXAMPLE.COM:(memberOf:1.2.840.113556.1.4.1941:=CN=ACL_DEV_APAC_developers,OU=ACL,OU=Group,OU=EXAMPLE,DC=EXAMPLE,DC=COM)
[ssh]
debug_level = 7
[nss]
debug_level = 7
My /etc/ssh/sshd_config
includes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
The problem
User are able to log in only once during cache lifetime (by default 90 minutes), otherwise they are denied access. See the log at https://pastebin.com/Jqc52MWH. For logs with debug_level = 9
see https://pastebin.com/0uQ8MCuS
Running sss_ssh_authorizedkeys myadmin
works perfectly when run with a clean/timed-out cache (even multiple times in a row). When I log in via ssh and try to run it directly after then nothing is returned for the user logged in but I can query a (new/fresh) user right away.
The workaround
adding entry_cache_user_timeout = 5
to [domain/EXAMPLE.COM]
in /etc/sssd/sssd.conf
enables a login every 5 seconds. Faster logins are not possible. A lower timeout lengthens the login time.
Solution
Anyone a solution to this problem?
See bug report for latest status - https://pagure.io/SSSD/sssd/issue/3534
Workaround 1
Adding the ldap attribute sshPublicKey to the global catalog solves the issue. See https://blogs.technet.microsoft.com/scotts-it-blog/2015/02/28/ad-ds-global-catalogs-and-the-partial-attribute-set/ for instructions. The attribute should look something like this:
Workaround 2
Alternatively one can add
ad_enable_gc = false
to the domain config. Then the global catalog will only be used for cross-domain group memberships. Seeman sssd-ad
for details.