Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2609 FreeIPA includes the ability to have the sssd use a host key proxy to check for host keys on the server, rather than using the local known_hosts file, but it breaks if you use the default_domain_suffix If you have setup your sssd with the following settings: default_domain_suffix = addomain.net use_fully_qualified_names = true This allows active directory users from a trusted Active Directory domain to login to your FreeIPA clients by entering only 'adusername' at the login prompt instead of 'adusername@addomain.net'. However, when you turn this setting on, it breaks host key checking. What happens is that the sssd is appending the default_domain_suffix all the time, whether it is needed or not. Here are my sssd logs during a host key check when using ssh to connect from one FreeIPA host to another (same issue in FreeIPA 3.0.0/sssd 1.11 and 4.1.2 / sssd 1.12) (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipaclient1-sandbox-atdev-van.ipadomain.net@addomain.net] (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No such host As you can see from the logs, even though I am sending it a fqdn (ipaclient1-sandbox-atdev-van.ipadomain.net it is still appending @addomain.net to the address before checking for a host key for that host. Ideally, you would not want it to ever append the name, even if a fqdn is not given. Here is why I think this should be the default behavior. The default_domain_suffix is meant to be applied to usernames when logging in. It is not meant to be applied to hostnames, especially since the fqdn is quite irrelevant when doing a host key check since you will always be looking for that host in the FreeIPA directory anyway.
* master: eeecc48d22a28bb69da56f6ffd8824163fc9bf00
After cross checking the sssd_ssh.log file on the IPA-client box found that there is no such logging been done when the user tries to login from AD box using putty, even after setting the log level to 5/9. i.e debug_level = 5 and debug_level = 9 in sssd.conf file. [debug level = 5, 0x0200: Function data debug level = 9, 0x4000: Extremely low-level tracing information]
(In reply to Sudhir Menon from comment #5) > After cross checking the sssd_ssh.log file on the IPA-client box found that > there is no such logging been done when the user tries to login from AD box > using putty, even after setting the log level to 5/9. i.e debug_level = 5 > and debug_level = 9 in sssd.conf file. > > [debug level = 5, 0x0200: Function data > debug level = 9, 0x4000: Extremely low-level tracing information] Can you check if the ssh responder is running? Did you put the debug level into the [ssh] section?
1. ps -ef shows the below, not sure if this is the ssh responder you were referring to. root 14904 14899 0 12:50 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files 2. Yes, the debug_level = 9 was put under the [ssh] section in sssd.conf on the ipaclient. [ssh] debug_level = 9
Ah, I know what's wrong. You were logging in from Windows -- that doesn't trigger the ssh responder. You need to log in from one IPA-managed host to another. It's also in the opening comment: ~~~~~ Here are my sssd logs during a host key check when using ssh to connect from one FreeIPA host to another (same issue in FreeIPA 3.0.0/sssd 1.11 and 4.1.2 / sssd 1.12) ~~~~~
Verified: sssd-1.13.0-36.el7.x86_64 on RHEL7.2 1. set the below parameter in sssd.conf on IPAclient. [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = labs01.test default_domain_suffix = test.in <--- use_fully_qualified_names = true <--- [ssh] debug_level = 7 2. Logged in as an IPA user from IPAclient to IPAServer. #ssh -l test ipa01.labs01.test 3. sssd_log file on the IPAclient from where we are trying to do ssh, logs the below. (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [<ALL>] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_ssh_cmd_get_host_pubkeys] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test][] from [<ALL>] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f1361089e20:ipa01.labs01.test@labs01.test] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_dp_get_ssh_host_msg] (0x0400): Creating SSH host request for [labs01.test][0][name=ipa01.labs01.test] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f1361089e20:ipa01.labs01.test@labs01.test] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success) (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test@labs01.test] (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sysdb_update_ssh_known_host_expire] (0x0400): Updating known_hosts expire time of host ipa01.labs01.test (Wed Oct 7 18:28:10 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f1361089e20:ipa01.labs01.test@labs01.test] 3. Also tried logging as trusted AD user from the IPAclient on the IPAserver as below and found that the default domain suffix is not searched. [root@ipaclient02 ~]# ssh -l smenon@test.in ipa01.labs01.test (Wed Oct 7 18:35:37 2015) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [<ALL>] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_ssh_cmd_get_host_pubkeys] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test][] from [<ALL>] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f1361089e20:ipa01.labs01.test@labs01.test] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_dp_get_ssh_host_msg] (0x0400): Creating SSH host request for [labs01.test][0][name=ipa01.labs01.test] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f1361089e20:ipa01.labs01.test@labs01.test] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success) (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test@labs01.test] (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sysdb_update_ssh_known_host_expire] (0x0400): Updating known_hosts expire time of host ipa01.labs01.test (Wed Oct 7 18:35:41 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f1361089e20:ipa01.labs01.test@labs01.test] 4. default_domain_suffix is not searched in the case which is test.in as mentioned in sssd.conf on IPAclient.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html