On Fri, Mar 20, 2015 at 08:32:14PM -0400, Dmitri Pal wrote: > On 03/20/2015 08:18 PM, nat...@nathanpeters.com wrote: > >>>Actually this was the problem : > >>> > >>>I had added the following line to the [sssd] section of sssd.conf : > >>>[sssd] > >>>default_domain_suffix = addomain.net > >>> > >>>The reason I had added this is because our business asked if our active > >>>directory trusted users can be allowed to login without entering their > >>>fqdn. Setting the default_domain_suffix allows them to just login as > >>>'aduser' instead of 'adu...@addomain.net'. > >>> > >>>However, this apparently breaks host key checking. Turning debugging on > >>>the sssd up to 9 revealed that it was appending the > >>>default_domain_suffix > >>>line to all hostnames (fully qualified and not) before asking FreeIPA > >>>for > >>>their host keys: > >>> > >>>(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] > >>>(0x0400): Requesting SSH host public keys for > >>>[ipaclient1-sandbox-atdev-van.ipadomain....@addomain.net] > >>>(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] > >>>(0x0400): > >>>No such host > >>> > >>>So 2 more questions: > >>>1. Is this a bug? > >>> > >>>2. If it is not a bug or is expected behavior, is there a way to both > >>>A) Have ad users able to login as 'aduser' instead of > >>>'adu...@addomain.net' > >>>AND > >>>B) Still get host key checking working properly? > >>> > >>> > >>Probably a bug. > >> > >>-- > >>Thank you, > >>Dmitri Pal > >> > >>Sr. Engineering Manager IdM portfolio > >>Red Hat, Inc. > >> > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > >> > >Hmm, if it is a bug, it still exists in the newest sssd (1.12.3-2.el7) > >because I just tested it on the newest CentOS 7 client and without > >default_domain_suffix set I get host key checking, but with it set, it is > >failing just like it did on CentOS 6 with the older sssd. > > > >Is there a good place to report that bug so it can hopefully get fixed? > > > > > Let us wait till Monday. > I CCed Jakub. He will be able to confirm whether this is a bug or not. > If it is in fact a bug here is where to file it: > https://fedorahosted.org/sssd/ you need a Fedora login to do it.
Thanks for CC-ing me Dmitri, I only monitor freeipa-users based on subjects and didn't realize this thread was about SSSD. I didn't reproduce the problem myself yet, but I checked the sources and I think it's a bug, much like one in the autofs responder we've had some time ago. Please open a bug upstream or in RHBZ, we need to track this problem. Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project