Bug 1206189
Summary: | [bug] sssd always appends default_domain_suffix when checking for host keys | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> | |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.0 | CC: | grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, sumenon | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.13.0-0.1.alpha.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1401816 (view as bug list) | Environment: | ||
Last Closed: | 2015-11-19 11:37:19 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1401816 |
Description
Jakub Hrozek
2015-03-26 14:02:15 UTC
* master: eeecc48d22a28bb69da56f6ffd8824163fc9bf00 After cross checking the sssd_ssh.log file on the IPA-client box found that there is no such logging been done when the user tries to login from AD box using putty, even after setting the log level to 5/9. i.e debug_level = 5 and debug_level = 9 in sssd.conf file. [debug level = 5, 0x0200: Function data debug level = 9, 0x4000: Extremely low-level tracing information] (In reply to Sudhir Menon from comment #5) > After cross checking the sssd_ssh.log file on the IPA-client box found that > there is no such logging been done when the user tries to login from AD box > using putty, even after setting the log level to 5/9. i.e debug_level = 5 > and debug_level = 9 in sssd.conf file. > > [debug level = 5, 0x0200: Function data > debug level = 9, 0x4000: Extremely low-level tracing information] Can you check if the ssh responder is running? Did you put the debug level into the [ssh] section? 1. ps -ef shows the below, not sure if this is the ssh responder you were referring to. root 14904 14899 0 12:50 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files 2. Yes, the debug_level = 9 was put under the [ssh] section in sssd.conf on the ipaclient. [ssh] debug_level = 9 Ah, I know what's wrong. You were logging in from Windows -- that doesn't trigger the ssh responder. You need to log in from one IPA-managed host to another. It's also in the opening comment: ~~~~~ Here are my sssd logs during a host key check when using ssh to connect from one FreeIPA host to another (same issue in FreeIPA 3.0.0/sssd 1.11 and 4.1.2 / sssd 1.12) ~~~~~ Verified: sssd-1.13.0-36.el7.x86_64 on RHEL7.2 1. set the below parameter in sssd.conf on IPAclient. [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = labs01.test default_domain_suffix = test.in <--- use_fully_qualified_names = true <--- [ssh] debug_level = 7 2. Logged in as an IPA user from IPAclient to IPAServer. #ssh -l test ipa01.labs01.test 3. sssd_log file on the IPAclient from where we are trying to do ssh, logs the below. (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [<ALL>] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_ssh_cmd_get_host_pubkeys] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test][] from [<ALL>] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f1361089e20:ipa01.labs01.test] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_dp_get_ssh_host_msg] (0x0400): Creating SSH host request for [labs01.test][0][name=ipa01.labs01.test] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f1361089e20:ipa01.labs01.test] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success) (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sysdb_update_ssh_known_host_expire] (0x0400): Updating known_hosts expire time of host ipa01.labs01.test (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f1361089e20:ipa01.labs01.test] 3. Also tried logging as trusted AD user from the IPAclient on the IPAserver as below and found that the default domain suffix is not searched. [root@ipaclient02 ~]# ssh -l smenon ipa01.labs01.test (Wed Oct 7 18:35:37 2015) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [<ALL>] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_ssh_cmd_get_host_pubkeys] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test][] from [<ALL>] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f1361089e20:ipa01.labs01.test] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_dp_get_ssh_host_msg] (0x0400): Creating SSH host request for [labs01.test][0][name=ipa01.labs01.test] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f1361089e20:ipa01.labs01.test] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success) (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sysdb_update_ssh_known_host_expire] (0x0400): Updating known_hosts expire time of host ipa01.labs01.test (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f1361089e20:ipa01.labs01.test] 4. default_domain_suffix is not searched in the case which is test.in as mentioned in sssd.conf on IPAclient. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html |