Bug 1401816
Summary: | SSH: default_domain_suffix is not being used for users' authorized keys | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Arya Rajendran <arajendr> | |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Sudhir Menon <sumenon> | |
Severity: | high | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.3 | CC: | enewland, grajaiya, jgalipea, jhrozek, kbanerje, ksiddiqu, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, sbose, sgoveas, sssd-maint, sumenon, tscherf | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.14.0-43.el7_3.12 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1206189 | |||
: | 1405584 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 09:02:33 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1206189 | |||
Bug Blocks: | 1405584 |
Comment 2
Jakub Hrozek
2016-12-06 10:28:17 UTC
Fixed upstream: master: ed71fba97dfcf5b3f0f1834c06660c481b9ab3ce sssd-1-14: 2949fe58ac344c44d756ca309d4b2b7f3590cee3 yes, PM ack-ed Hi Thorsten, can you please add GSSApproved so that we can fix this bug in the next z-stream? Please see the opening comment for the customer impact. Tested on RHEL7.4 using ipa-server-4.5.0-9.el7.x86_64 sssd-1.15.2-24.el7.x86_64 selinux-policy-3.13.1-145.el7.noarch krb5-server-1.15.1-8.el7.x86_64 pki-ca-10.4.1-3.el7.noarch authconfig-6.2.8-23.el7.x86_64 [root@client sssd]# ssh -l sssd1 ibm-x3250m4-06.testrelm.test Password: Could not chdir to home directory /home/pne.qe/sssd1: No such file or directory -sh-4.2$ id uid=1261602769(sssd1) gid=1261602769(sssd1) groups=1261602769(sssd1),1261600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$ whoami sssd1 (Tue May 16 18:02:31 2017) [sssd[ssh]] [ssh_protocol_parse_request] (0x0400): Requested domain [<ALL>] (Tue May 16 18:02:31 2017) [sssd[ssh]] [ssh_cmd_get_host_pubkeys] (0x0400): Requesting SSH host public keys for [ibm-x3250m4-06.testrelm.test] from [<ALL>] (Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_set_plugin] (0x2000): CR #0: Setting "Host by name" plugin (Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_send] (0x0400): CR #0: New request 'Host by name' (Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_process_input] (0x0400): CR #0: Parsing input name (In reply to Sudhir Menon from comment #10) > Tested on RHEL7.4 using > > ipa-server-4.5.0-9.el7.x86_64 > sssd-1.15.2-24.el7.x86_64 > selinux-policy-3.13.1-145.el7.noarch > krb5-server-1.15.1-8.el7.x86_64 > pki-ca-10.4.1-3.el7.noarch > authconfig-6.2.8-23.el7.x86_64 > > [root@client sssd]# ssh -l sssd1 ibm-x3250m4-06.testrelm.test ^^^^^^^^^^^^ I can see that you used fully qualified name here. But this bug should use short name + default_domain_suffix to trusted ad domain in sssd.conf. 1. set the below parameter in sssd.conf on IPAclient. [sssd] services = nss, pam, ssh domains = labs01.test default_domain_suffix = ad_test.domain <--- use_fully_qualified_names = true <--- [ssh] debug_level = 7 2. Logged in as an AD user to IPAclient. #ssh -l ad_user ipa_client.exmaple.test > Password: > Could not chdir to home directory /home/pne.qe/sssd1: No such file or > directory > -sh-4.2$ id > uid=1261602769(sssd1) gid=1261602769(sssd1) > groups=1261602769(sssd1),1261600513(domain users) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > -sh-4.2$ whoami > sssd1 > > > (Tue May 16 18:02:31 2017) [sssd[ssh]] [ssh_protocol_parse_request] > (0x0400): Requested domain [<ALL>] > (Tue May 16 18:02:31 2017) [sssd[ssh]] [ssh_cmd_get_host_pubkeys] (0x0400): > Requesting SSH host public keys for [ibm-x3250m4-06.testrelm.test] from > [<ALL>] > (Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_set_plugin] (0x2000): CR > #0: Setting "Host by name" plugin > (Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_send] (0x0400): CR #0: New > request 'Host by name' > (Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_process_input] (0x0400): > CR #0: Parsing input name I guess Sudhir might just pasted the wrong verification steps. He showed me steps with a short name earlier. But nevertheless it should be corrected. Lukas/Sumit, The actual steps performed for the verification without the domain name appended. 1. On IPA-Client set the below [sssd] services = nss, sudo, pam, ssh domains = testrelm.test default_domain_suffix = pne.qe use_fully_qualified_names = true 2. Logged in from IPA Master to IPA Client using short name. [root@ibm-x3250m4-06 ~]# ssh -l sssd1 client.testrelm.test -sh-4.2$ whoami sssd1 -sh-4.2$ id uid=1261602769(sssd1) gid=1261602769(sssd1) groups=1261602769(sssd1),1261600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$ getent passwd sssd1 sssd1:*:1261602769:1261602769:sssd1:/home/pne.qe/sssd1: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |