>> Actually this was the problem :
>>
>> I had added the following line to the [sssd] section of sssd.conf :
>> [sssd]
>> default_domain_suffix = addomain.net
>>
>> The reason I had added this is because our business asked if our active
>> directory trusted users can be allowed to login without entering their
>> fqdn.  Setting the default_domain_suffix allows them to just login as
>> 'aduser' instead of 'adu...@addomain.net'.
>>
>> However, this apparently breaks host key checking.  Turning debugging on
>> the sssd up to 9 revealed that it was appending the
>> default_domain_suffix
>> line to all hostnames (fully qualified and not) before asking FreeIPA
>> for
>> their host keys:
>>
>> (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next]
>> (0x0400): Requesting SSH host public keys for
>> [ipaclient1-sandbox-atdev-van.ipadomain....@addomain.net]
>> (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts]
>> (0x0400):
>> No such host
>>
>> So 2 more questions:
>> 1. Is this a bug?
>>
>> 2. If it is not a bug or is expected behavior, is there a way to both
>> A) Have ad users able to login as 'aduser' instead of
>> 'adu...@addomain.net'
>> AND
>> B) Still get host key checking working properly?
>>
>>
> Probably a bug.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>

Hmm, if it is a bug, it still exists in the newest sssd (1.12.3-2.el7)
because I just tested it on the newest CentOS 7 client and without
default_domain_suffix set I get host key checking, but with it set, it is
failing just like it did on CentOS 6 with the older sssd.

Is there a good place to report that bug so it can hopefully get fixed?


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to