Bug 1401816 - SSH: default_domain_suffix is not being used for users' authorized keys
Summary: SSH: default_domain_suffix is not being used for users' authorized keys
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Sudhir Menon
URL:
Whiteboard:
Depends On: 1206189
Blocks: 1405584
TreeView+ depends on / blocked
 
Reported: 2016-12-06 08:03 UTC by Arya Rajendran
Modified: 2020-06-11 13:07 UTC (History)
17 users (show)

Fixed In Version: sssd-1.14.0-43.el7_3.12
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1206189
: 1405584 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:02:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4292 0 None None None 2020-05-02 18:34:38 UTC
Red Hat Product Errata RHEA-2017:2294 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Comment 2 Jakub Hrozek 2016-12-06 10:28:17 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3259
Comment 3 Jakub Hrozek 2016-12-06 10:36:34 UTC 
Fixed upstream:
    master: ed71fba97dfcf5b3f0f1834c06660c481b9ab3ce
    sssd-1-14: 2949fe58ac344c44d756ca309d4b2b7f3590cee3
Comment 5 Ellen Newlands 2016-12-07 15:35:02 UTC 
yes, PM ack-ed
Comment 6 Jakub Hrozek 2016-12-15 16:12:15 UTC 
Hi Thorsten, can you please add GSSApproved so that we can fix this bug in the next z-stream? Please see the opening comment for the customer impact.
Comment 10 Sudhir Menon 2017-05-16 12:59:40 UTC 
Tested on RHEL7.4 using

ipa-server-4.5.0-9.el7.x86_64
sssd-1.15.2-24.el7.x86_64
selinux-policy-3.13.1-145.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
pki-ca-10.4.1-3.el7.noarch
authconfig-6.2.8-23.el7.x86_64

[root@client sssd]# ssh -l sssd1 ibm-x3250m4-06.testrelm.test
Password:
Could not chdir to home directory /home/pne.qe/sssd1: No such file or directory
-sh-4.2$ id
uid=1261602769(sssd1) gid=1261602769(sssd1) groups=1261602769(sssd1),1261600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$ whoami
sssd1


(Tue May 16 18:02:31 2017) [sssd[ssh]] [ssh_protocol_parse_request] (0x0400): Requested domain [<ALL>]
(Tue May 16 18:02:31 2017) [sssd[ssh]] [ssh_cmd_get_host_pubkeys] (0x0400): Requesting SSH host public keys for [ibm-x3250m4-06.testrelm.test] from [<ALL>]
(Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_set_plugin] (0x2000): CR #0: Setting "Host by name" plugin
(Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_send] (0x0400): CR #0: New request 'Host by name'
(Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_process_input] (0x0400): CR #0: Parsing input name
Comment 11 Lukas Slebodnik 2017-05-16 13:34:34 UTC 
(In reply to Sudhir Menon from comment #10)
> Tested on RHEL7.4 using
> 
> ipa-server-4.5.0-9.el7.x86_64
> sssd-1.15.2-24.el7.x86_64
> selinux-policy-3.13.1-145.el7.noarch
> krb5-server-1.15.1-8.el7.x86_64
> pki-ca-10.4.1-3.el7.noarch
> authconfig-6.2.8-23.el7.x86_64
> 
> [root@client sssd]# ssh -l sssd1 ibm-x3250m4-06.testrelm.test
                             ^^^^^^^^^^^^
I can see that you used fully qualified name here.
But this bug should use short name + default_domain_suffix to trusted ad domain in sssd.conf.

1. set the below parameter in sssd.conf on IPAclient.

[sssd]
services = nss, pam, ssh
domains = labs01.test
default_domain_suffix = ad_test.domain   <---
use_fully_qualified_names = true  <---

[ssh]
debug_level = 7


2. Logged in as an AD user to IPAclient.

#ssh -l ad_user ipa_client.exmaple.test


> Password:
> Could not chdir to home directory /home/pne.qe/sssd1: No such file or
> directory
> -sh-4.2$ id
> uid=1261602769(sssd1) gid=1261602769(sssd1)
> groups=1261602769(sssd1),1261600513(domain users)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> -sh-4.2$ whoami
> sssd1
> 
> 
> (Tue May 16 18:02:31 2017) [sssd[ssh]] [ssh_protocol_parse_request]
> (0x0400): Requested domain [<ALL>]
> (Tue May 16 18:02:31 2017) [sssd[ssh]] [ssh_cmd_get_host_pubkeys] (0x0400):
> Requesting SSH host public keys for [ibm-x3250m4-06.testrelm.test] from
> [<ALL>]
> (Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_set_plugin] (0x2000): CR
> #0: Setting "Host by name" plugin
> (Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_send] (0x0400): CR #0: New
> request 'Host by name'
> (Tue May 16 18:02:31 2017) [sssd[ssh]] [cache_req_process_input] (0x0400):
> CR #0: Parsing input name
Comment 12 Sumit Bose 2017-05-16 13:44:51 UTC 
I guess Sudhir might just pasted the wrong verification steps. He showed me steps with a short name earlier. But nevertheless it should be corrected.
Comment 13 Sudhir Menon 2017-05-16 13:56:24 UTC 
Lukas/Sumit,

The actual steps performed for the verification without the domain name appended.
 
1. On IPA-Client set the below
[sssd]
services = nss, sudo, pam, ssh
domains = testrelm.test
default_domain_suffix = pne.qe
use_fully_qualified_names = true

2. Logged in from IPA Master to IPA Client using short name.
 
[root@ibm-x3250m4-06 ~]# ssh -l sssd1 client.testrelm.test
-sh-4.2$ whoami
sssd1
-sh-4.2$ id
uid=1261602769(sssd1) gid=1261602769(sssd1) groups=1261602769(sssd1),1261600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$ getent passwd sssd1
sssd1:*:1261602769:1261602769:sssd1:/home/pne.qe/sssd1:
Comment 14 errata-xmlrpc 2017-08-01 09:02:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294
Note You need to log in before you can comment on or make changes to this bug.