Bug 839625

Summary: Configuring_an_IPA_Client_on_AIX instructs to configure sshd with 'GSSAPITrustDNS' which causes sshd to no longer start
Product: [Fedora] Fedora Documentation Reporter: Christian Horn <chorn>
Component: freeipa-guideAssignee: Martin Kosek <mkosek>
Status: CLOSED WONTFIX QA Contact: Fedora Documentation Project <docs>
Severity: medium Docs Contact:
Priority: medium    
Version: develCC: dlackey, me, zach
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-15 10:55:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Christian Horn 2012-07-12 13:01:13 UTC
Description of problem:
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html
instructs to set 'GSSAPITrustDNS no' in /etc/ssh/sshd_config .

Version-Release number of selected component (if applicable):
   current / fedora [15|16|17] instructions

How reproducible:
   always

Steps to Reproduce:
1. access webpage
2. implement change
3. try to start sshd
  
Actual results:
sshd no longer starts

Expected results:
sshd should start

Additional info:
- GSSAPITrustDNS is a ssh client option
- its not mentioned in the manpage but recognized
- http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Kerberos_Errors.html mentions it as client option
- http://freeipa.com/page/ConfiguringAixClients looks like the most current howto and does not mention the option at all. I think just removing the option from the webpage is the most simple way to resolve this (recheck whole howto with an AIX client for bonus)

Comment 1 Deon Ballard 2013-06-25 19:33:14 UTC
Kicking FreeIPA doc bugs over to Martin.

Comment 2 Martin Kosek 2014-10-15 10:55:06 UTC
FreeIPA upstream project no longer actively maintains an upstream guide (details in www.freeipa.org/page/Upstream_User_Guide). The only actively maintained user information is therefore upstream community wiki (FreeIPA.org) and RHEL downstream user guides (http://www.freeipa.org/page/Documentation#User_Guides).

Please file upstream tickets or RHEL documentation Bugzillas to request additional fixes or enhancements in these guides. Thank you and sorry for any inconvenience.