On 03/20/2015 07:41 PM, nat...@nathanpeters.com wrote:
On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote:
I have FreeIPA installed on several types of Linux machines and they are
all experiencing strange issues with certificates and host keys.
Here is the setup:

Server : FreeIPA 4.1.2 on Centos 7
Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS
Client 3&4 : FreeIPA 4.1.2-1.el7 on Centos 7

First the FreeIPA clients running client 3.0.0 do not seem to be
getting their host keys from the server.  Whenever I ssh from one client
to another (or even to the IPA server itself) I am prompted to answer
or no to the host key.  The host keys are both listed in the host record
if I login to the domain controller web interface (and match what is on
the server), and the DNS SSHFP records exist also.

# sss_ssh_authorizedkeys --debug 10 admin
(Fri Mar 20 13:43:52:706986 2015) [sss_ssh_authorizedkeys] [main]
(0x0020): sss_ssh_get_ent() failed (2): No such file or directory
Error looking up public keys
It seems that you might be missing the integration between sssd and ssh.
Can you please check you configuration as described here:

Actually this was the problem :

I had added the following line to the [sssd] section of sssd.conf :
default_domain_suffix = addomain.net

The reason I had added this is because our business asked if our active
directory trusted users can be allowed to login without entering their
fqdn.  Setting the default_domain_suffix allows them to just login as
'aduser' instead of 'adu...@addomain.net'.

However, this apparently breaks host key checking.  Turning debugging on
the sssd up to 9 revealed that it was appending the default_domain_suffix
line to all hostnames (fully qualified and not) before asking FreeIPA for
their host keys:

(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next]
(0x0400): Requesting SSH host public keys for
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400):
No such host

So 2 more questions:
1. Is this a bug?

2. If it is not a bug or is expected behavior, is there a way to both
A) Have ad users able to login as 'aduser' instead of 'adu...@addomain.net'
B) Still get host key checking working properly?

Probably a bug.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to