Bug 813884

Summary: 'Error looking up public keys' message shown while doing ssh to ipa-server from ipa-client system
Product: Red Hat Enterprise Linux 6 Reporter: Kaleem <ksiddiqu>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED DUPLICATE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: grajaiya, jcholast, jgalipea, mkosek, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-14 13:13:35 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Kaleem 2012-04-18 12:37:00 EDT
Description of problem:
After joining system successfully as ipa-client, Following message shown when i do ssh to ipa-server after kinit

Error looking up public keys
Last login: Wed Apr 18 21:43:55 2012 from
Could not chdir to home directory /home/admin: No such file or directory

Version-Release number of selected component (if applicable):
[root@dhcp201-176 ~]# rpm -q ipa-client
[root@dhcp201-176 ~]#

How reproducible:

Steps to Reproduce:
1.Install IPA Server
2.Join a system as ipa-client using ipa-client-install

  [root@dhcp201-176 ~]# ipa-client-install --domain=testrelm.com --realm=TESTRELM.COM -p admin -w Secret123 -U --server=ipa63server.testrelm.com
Discovery was successful!
Hostname: dhcp201-176.englab.pnq.redhat.com
DNS Domain: testrelm.com
IPA Server: ipa63server.testrelm.com
BaseDN: dc=testrelm,dc=com

Synchronizing time with KDC...

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
Warning: Could not update DNS SSHFP records.
SSSD enabled
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
[root@dhcp201-176 ~]#

3.kinit as admin

   [root@dhcp201-176 ~]# kinit admin
Password for admin@TESTRELM.COM: 
[root@dhcp201-176 ~]#

4.ssh to ipa-server system.
  [root@dhcp201-176 ~]# ssh admin@ipa63server.testrelm.com
Error looking up public keys
Last login: Wed Apr 18 21:43:55 2012 from
Could not chdir to home directory /home/admin: No such file or directory

Actual results:
    Following message is shown 
    "Error looking up public keys"

Expected results:
    Message "Error looking up public keys" should not appear while doing ssh to ipa-server.
Comment 2 Rob Crittenden 2012-04-18 15:35:52 EDT
Does the server have an SSHFP key?

Is the server running an IPA-based DNS?

It would be helpful to see the client install log, /var/log/ipaclient-install.log.
Comment 3 Martin Kosek 2012-04-20 07:52:27 EDT
The issue here is that server SSHFP records are only filled when you install IPA via "ipa-server-install --setup-dns" because they are filled as a part of client installation.

When DNS support is installed separately (ipa-dns-install), SSHFP records for the server are not filled and clients connecting to the master will receive "Error looking up public keys" error. I will open an upstream ticket to fix that.
Comment 4 Martin Kosek 2012-04-20 07:53:30 EDT
Upstream ticket:
Comment 5 Martin Kosek 2012-06-07 07:28:37 EDT
As discussed with Jan Cholasta, this is a bug on SSSD side, he plans to have it fixed in scope of https://fedorahosted.org/sssd/ticket/1356.

Moving this Bug to sssd component.
Comment 6 Jenny Galipeau 2012-06-14 13:13:35 EDT

*** This bug has been marked as a duplicate of bug 801719 ***