Bug 2060657

Summary:	Mismatch between input and parsed domain name when default_domain_suffix is set.
Product:	Red Hat Enterprise Linux 8	Reporter:	Chance Callahan <ccallaha>
Component:	sssd	Assignee:	Sumit Bose <sbose>
Status:	NEW ---	QA Contact:	sssd-qe
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	8.5	CC:	atikhono, grajaiya, lslebodn, mzidek, pbrezina, sbose, tscherf, vvanhaft
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---	Flags:	vvanhaft: needinfo? (sbose)
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Chance Callahan 2022-03-03 23:04:29 UTC

Description of problem:

There are two domains, AD (example.com), and IPA (linux.example.com) in a trust. When a user sets "default_domain_suffix = example.com" in their sssd.conf, users that login using the FQDN for the IPA domain (jdoe.com) get hit with a mismatch error:

   *  (2022-03-01  8:30:35): [ssh] [get_client_cred] (0x4000): Client [0x55ad47436280][23] creds: euid[65534] egid[65534] pid[7640] cmd_line['/usr/bin/sss_ssh_authorizedkeys'].
   *  (2022-03-01  8:30:35): [ssh] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x55ad47436280][23]
   *  (2022-03-01  8:30:35): [ssh] [accept_fd_handler] (0x0400): Client [CID #1][cmd /usr/bin/sss_ssh_authorizedkeys][0x55ad47436280][23] connected!
   *  (2022-03-01  8:30:35): [ssh] [sss_cmd_get_version] (0x0200): Received client version [0].
   *  (2022-03-01  8:30:35): [ssh] [sss_cmd_get_version] (0x0200): Offered version [0].
   *  (2022-03-01  8:30:35): [ssh] [ssh_protocol_parse_request] (0x0400): Requested domain [example.com]
   *  (2022-03-01  8:30:35): [ssh] [ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [jdoe.com] from [example.com]
   *  (2022-03-01  8:30:35): [ssh] [cache_req_set_plugin] (0x2000): CR #0: Setting "User by name" plugin
   *  (2022-03-01  8:30:35): [ssh] [cache_req_send] (0x0400): CR #0: REQ_TRACE: New request [CID #1] 'User by name'
   *  (2022-03-01  8:30:35): [ssh] [cache_req_process_input] (0x0400): CR #0: Parsing input name [jdoe.com]
   *  (2022-03-01  8:30:35): [ssh] [sss_domain_get_state] (0x1000): Domain implicit_files is Active
   *  (2022-03-01  8:30:35): [ssh] [sss_domain_get_state] (0x1000): Domain linux.example.com is Active
   *  (2022-03-01  8:30:35): [ssh] [sss_parse_name_for_domains] (0x0200): name 'jdoe.com' matched expression for domain 'linux.example.com', user is jdoe
   *  (2022-03-01  8:30:35): [ssh] [cache_req_input_parsed] (0x0020): Mismatch between input domain name [example.com] and parsed domain name [linux.example.com]

Version-Release number of selected component (if applicable):

SSSD 2.5.2-2.el8_5.4.x86_64

How reproducible:

Consistently.

Steps to Reproduce:
1. Create environment similar to one described above.
2. Set "default_domain_suffix = example.com"
3. Attempt to login.

Actual results:

See above.

Expected results:

SSSD hands off the SSH key to OpenSSH and then the key is evaluated by OpenSSH.

Additional info:

Comment 1 Sumit Bose 2022-03-31 12:30:31 UTC

Hi,

thanks for the report, I can reproduce it. It looks like an issue specific to the ssh responder since it is working find with the nss responder. I will have a close look.

bye,
Sumit