Bug 1206189

Summary: [bug] sssd always appends default_domain_suffix when checking for host keys
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, sumenon
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.13.0-0.1.alpha.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1401816 (view as bug list) Environment:
Last Closed: 2015-11-19 11:37:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1401816    

Description Jakub Hrozek 2015-03-26 14:02:15 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2609

FreeIPA includes the ability to have the sssd use a host key proxy to check for host keys on the server, rather than using the local known_hosts file, but it breaks if you use the default_domain_suffix

If you have setup your sssd with the following settings:
default_domain_suffix = addomain.net
use_fully_qualified_names = true

This allows active directory users from a trusted Active Directory domain to login to your FreeIPA clients by entering only 'adusername' at the login prompt instead of 'adusername'.

However, when you turn this setting on, it breaks host key checking.  What happens is that the sssd is appending the default_domain_suffix all the time, whether it is needed or not.

Here are my sssd logs during a host key check when using ssh to connect from one FreeIPA host to another (same issue in FreeIPA 3.0.0/sssd 1.11 and 4.1.2 / sssd 1.12)

(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipaclient1-sandbox-atdev-van.ipadomain.net]
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No such host

As you can see from the logs, even though I am sending it a fqdn (ipaclient1-sandbox-atdev-van.ipadomain.net it is still appending @addomain.net to the address before checking for a host key for that host.

Ideally, you would not want it to ever append the name, even if a fqdn is not given.  Here is why I think this should be the default behavior.

The default_domain_suffix is meant to be applied to usernames when logging in.  It is not meant to be applied to hostnames, especially since the fqdn is quite irrelevant when doing a host key check since you will always be looking for that host in the FreeIPA directory anyway.
Comment 1 Jakub Hrozek 2015-04-01 11:53:17 UTC 
* master: eeecc48d22a28bb69da56f6ffd8824163fc9bf00
Comment 5 Sudhir Menon 2015-10-06 13:37:51 UTC 
After cross checking the sssd_ssh.log file on the IPA-client box found that there is no such logging been done when the user tries to login from AD box using putty, even after setting the log level to 5/9. i.e debug_level = 5
and debug_level = 9 in sssd.conf file.

[debug level = 5, 0x0200: Function data
debug level =  9, 0x4000: Extremely low-level tracing information]
Comment 6 Jakub Hrozek 2015-10-06 15:44:29 UTC 
(In reply to Sudhir Menon from comment #5)
> After cross checking the sssd_ssh.log file on the IPA-client box found that
> there is no such logging been done when the user tries to login from AD box
> using putty, even after setting the log level to 5/9. i.e debug_level = 5
> and debug_level = 9 in sssd.conf file.
> 
> [debug level = 5, 0x0200: Function data
> debug level =  9, 0x4000: Extremely low-level tracing information]

Can you check if the ssh responder is running?

Did you put the debug level into the [ssh] section?
Comment 7 Sudhir Menon 2015-10-07 07:28:56 UTC 
1. ps -ef shows the below, not sure if this is the ssh responder you were referring to.

root     14904 14899  0 12:50 ?        00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files

2. Yes, the debug_level = 9 was put under the [ssh] section in sssd.conf on the ipaclient.

[ssh]
debug_level = 9
Comment 8 Jakub Hrozek 2015-10-07 07:51:14 UTC 
Ah, I know what's wrong. You were logging in from Windows -- that doesn't trigger the ssh responder. You need to log in from one IPA-managed host to another. It's also in the opening comment:
~~~~~
Here are my sssd logs during a host key check when using ssh to connect from one FreeIPA host to another (same issue in FreeIPA 3.0.0/sssd 1.11 and 4.1.2 / sssd 1.12)
~~~~~
Comment 9 Sudhir Menon 2015-10-07 13:01:37 UTC 
Verified: sssd-1.13.0-36.el7.x86_64 on RHEL7.2

1. set the below parameter in sssd.conf on IPAclient.

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = labs01.test
default_domain_suffix = test.in   <---
use_fully_qualified_names = true  <---

[ssh]
debug_level = 7


2. Logged in as an IPA user from IPAclient to IPAServer.

#ssh -l test ipa01.labs01.test

3. sssd_log file on the IPAclient from where we are trying to do ssh, logs the below.

(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected!
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0].
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0].
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [<ALL>]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_ssh_cmd_get_host_pubkeys] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test][] from [<ALL>]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f1361089e20:ipa01.labs01.test]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_dp_get_ssh_host_msg] (0x0400): Creating SSH host request for [labs01.test][0][name=ipa01.labs01.test]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f1361089e20:ipa01.labs01.test]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success)
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sysdb_update_ssh_known_host_expire] (0x0400): Updating known_hosts expire time of host ipa01.labs01.test
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f1361089e20:ipa01.labs01.test]

3. Also tried logging as trusted AD user from the IPAclient on the IPAserver as below and found that the default domain suffix is not searched.

[root@ipaclient02 ~]# ssh -l smenon ipa01.labs01.test
(Wed Oct  7 18:35:37 2015) [sssd[ssh]] [client_recv] (0x0200): Client disconnected!
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected!
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0].
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0].
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [<ALL>]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_ssh_cmd_get_host_pubkeys] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test][] from [<ALL>]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f1361089e20:ipa01.labs01.test]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_dp_get_ssh_host_msg] (0x0400): Creating SSH host request for [labs01.test][0][name=ipa01.labs01.test]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f1361089e20:ipa01.labs01.test]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success)
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sysdb_update_ssh_known_host_expire] (0x0400): Updating known_hosts expire time of host ipa01.labs01.test
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f1361089e20:ipa01.labs01.test]

4. default_domain_suffix is not searched in the case which is test.in as mentioned in sssd.conf on IPAclient.
Comment 10 errata-xmlrpc 2015-11-19 11:37:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html