On 03/20/2015 08:18 PM, nat...@nathanpeters.com wrote:
Actually this was the problem :

I had added the following line to the [sssd] section of sssd.conf :
[sssd]
default_domain_suffix = addomain.net

The reason I had added this is because our business asked if our active
directory trusted users can be allowed to login without entering their
fqdn.  Setting the default_domain_suffix allows them to just login as
'aduser' instead of 'adu...@addomain.net'.

However, this apparently breaks host key checking.  Turning debugging on
the sssd up to 9 revealed that it was appending the
default_domain_suffix
line to all hostnames (fully qualified and not) before asking FreeIPA
for
their host keys:

(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next]
(0x0400): Requesting SSH host public keys for
[ipaclient1-sandbox-atdev-van.ipadomain....@addomain.net]
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts]
(0x0400):
No such host

So 2 more questions:
1. Is this a bug?

2. If it is not a bug or is expected behavior, is there a way to both
A) Have ad users able to login as 'aduser' instead of
'adu...@addomain.net'
AND
B) Still get host key checking working properly?


Probably a bug.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Hmm, if it is a bug, it still exists in the newest sssd (1.12.3-2.el7)
because I just tested it on the newest CentOS 7 client and without
default_domain_suffix set I get host key checking, but with it set, it is
failing just like it did on CentOS 6 with the older sssd.

Is there a good place to report that bug so it can hopefully get fixed?


Let us wait till Monday.
I CCed Jakub. He will be able to confirm whether this is a bug or not.
If it is in fact a bug here is where to file it: https://fedorahosted.org/sssd/ you need a Fedora login to do it.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to