> On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote: >> I have FreeIPA installed on several types of Linux machines and they are >> all experiencing strange issues with certificates and host keys. >> Here is the setup: >> >> Server : FreeIPA 4.1.2 on Centos 7 >> Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS >> 6.5 >> Client 3&4 : FreeIPA 4.1.2-1.el7 on Centos 7 >> >> >> First the FreeIPA clients running client 3.0.0 do not seem to be >> properly >> getting their host keys from the server. Whenever I ssh from one client >> to another (or even to the IPA server itself) I am prompted to answer >> yes >> or no to the host key. The host keys are both listed in the host record >> if I login to the domain controller web interface (and match what is on >> the server), and the DNS SSHFP records exist also. >> >> # sss_ssh_authorizedkeys --debug 10 admin >> (Fri Mar 20 13:43:52:706986 2015) [sss_ssh_authorizedkeys] [main] >> (0x0020): sss_ssh_get_ent() failed (2): No such file or directory >> Error looking up public keys > > It seems that you might be missing the integration between sssd and ssh. > Can you please check you configuration as described here: > http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf >
Actually this was the problem : I had added the following line to the [sssd] section of sssd.conf : [sssd] default_domain_suffix = addomain.net The reason I had added this is because our business asked if our active directory trusted users can be allowed to login without entering their fqdn. Setting the default_domain_suffix allows them to just login as 'aduser' instead of 'adu...@addomain.net'. However, this apparently breaks host key checking. Turning debugging on the sssd up to 9 revealed that it was appending the default_domain_suffix line to all hostnames (fully qualified and not) before asking FreeIPA for their host keys: (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipaclient1-sandbox-atdev-van.ipadomain....@addomain.net] (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No such host So 2 more questions: 1. Is this a bug? 2. If it is not a bug or is expected behavior, is there a way to both A) Have ad users able to login as 'aduser' instead of 'adu...@addomain.net' AND B) Still get host key checking working properly? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project