> On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote:
>> I have FreeIPA installed on several types of Linux machines and they are
>> all experiencing strange issues with certificates and host keys.
>> Here is the setup:
>> Server : FreeIPA 4.1.2 on Centos 7
>> Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS
>> Client 3&4 : FreeIPA 4.1.2-1.el7 on Centos 7
>> First the FreeIPA clients running client 3.0.0 do not seem to be
>> getting their host keys from the server. Whenever I ssh from one client
>> to another (or even to the IPA server itself) I am prompted to answer
>> or no to the host key. The host keys are both listed in the host record
>> if I login to the domain controller web interface (and match what is on
>> the server), and the DNS SSHFP records exist also.
>> # sss_ssh_authorizedkeys --debug 10 admin
>> (Fri Mar 20 13:43:52:706986 2015) [sss_ssh_authorizedkeys] [main]
>> (0x0020): sss_ssh_get_ent() failed (2): No such file or directory
>> Error looking up public keys
> It seems that you might be missing the integration between sssd and ssh.
> Can you please check you configuration as described here:
Actually this was the problem :
I had added the following line to the [sssd] section of sssd.conf :
default_domain_suffix = addomain.net
The reason I had added this is because our business asked if our active
directory trusted users can be allowed to login without entering their
fqdn. Setting the default_domain_suffix allows them to just login as
'aduser' instead of 'adu...@addomain.net'.
However, this apparently breaks host key checking. Turning debugging on
the sssd up to 9 revealed that it was appending the default_domain_suffix
line to all hostnames (fully qualified and not) before asking FreeIPA for
their host keys:
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next]
(0x0400): Requesting SSH host public keys for
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400):
No such host
So 2 more questions:
1. Is this a bug?
2. If it is not a bug or is expected behavior, is there a way to both
A) Have ad users able to login as 'aduser' instead of 'adu...@addomain.net'
B) Still get host key checking working properly?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project