Bug 1575934 - RHEL6 IPA client with RHEL7 IPA server stores certificates in wrong encoding
Summary: RHEL6 IPA client with RHEL7 IPA server stores certificates in wrong encoding
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.9
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: sssd-qe
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-08 10:34 UTC by Sumit Bose
Modified: 2019-07-03 13:26 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-07-03 12:29:37 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Sumit Bose 2018-05-08 10:34:37 UTC
Description of problem:
If a RHEL6 IPA client is connected to a RHEL-7.4 or above IPA server with trust to and AD forest certificates stored in the AD user are written to the SSSD cache of the RHEL6 client in a wrong encoding. 

Version-Release number of selected component (if applicable):

How reproducible:
With the setup described above run the SSSD ssh responder with debug_level=9 and call 'sss_ssh_authorized_keys aduser@ad.domain'.

In the sssd_ssh.log there will be log messages like:

    [sssd[ssh]] [cert_to_ssh_key] (0x0040): CERT_NewTempCertificate failed.

indicating that the certificate data is not in the expected format.

Additional info:
The RHEL6 build misses SSSD commit https://pagure.io/SSSD/sssd/c/cf89f552f06b95bd69d8c61aaa55a330a5d9f6e6?branch=master

Note You need to log in before you can comment on or make changes to this bug.