Bug 1575264

Summary: sssd 1.6.1-3 on fc27 and fc28 does not cache sss_ssh_knownhostproxy effictively
Product: [Fedora] Fedora Reporter: Martin Jackson <mhjacks>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 27CC: abokovoy, fidencio, jhrozek, lslebodn, mhjacks, mkosek, mzidek, nalin, pbrezina, rharwood, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-05 17:03:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Jackson 2018-05-05 14:03:14 UTC 
Description of problem:
Using sssd 1.6.1-3 on fc27 and fc28 and joined to a FreeIPA domain hosted on the ipa in CentOS 7 CR, sss_ssh_knownhostproxy cache file is always empty and ssh prompts to accept host keys

Version-Release number of selected component (if applicable):
1.6.1-3

How reproducible:
On both fc27 and fc28, seemingly always (I have three fedora nodes I've tested with, 2 27 and 1 28, all on 1.16.1-3).  Nodes running CentOS 7 IPA client still cache host keys as expected.

Steps to Reproduce:
1. Create a FreeIPA domain on an el7 host
2. Join a fedora 27 or 28 node to the domain
3. SSH from the client to the domain controller - the host key should be cached

Actual results:
ssh prompts to accept the hostkey, complaining that the proxy didn't give an answer ('no hostip for proxy command')

Expected results:
The key is read from cache and login happens through GSSAPI

Additional info:
Comment 1 Lukas Slebodnik 2018-05-05 17:03:00 UTC 

*** This bug has been marked as a duplicate of bug 1574778 ***
Comment 2 Lukas Slebodnik 2018-05-05 17:06:29 UTC 
I'm so sorry for the regression.

I used to test sssd a little bit more when I was backporting many upstream patches to fedora dist-git.

I cannot have commit rights anymore for unknown reason therefore the only way how can I help you is to provide link to copr build with fixed version

https://copr.fedorainfracloud.org/coprs/lslebodn/sssd-test/
Comment 7 Lukas Slebodnik 2018-05-05 20:43:08 UTC 
(In reply to Lukas Slebodnik from comment #2)
> the only way how can I help you is to provide link to copr build with
> fixed version
> 
> https://copr.fedorainfracloud.org/coprs/lslebodn/sssd-test/

And Fabiano was so kind that he did the same update also in fedora
https://bodhi.fedoraproject.org/updates/FEDORA-2018-29e4d12fa1
https://bodhi.fedoraproject.org/updates/FEDORA-2018-900d2b7675
https://bodhi.fedoraproject.org/updates/FEDORA-2018-7efba18539

Martin,
Could you test it and provide karma?