2060657 – Mismatch between input and parsed domain name when default_domain_suffix is set.

Bug 2060657 - Mismatch between input and parsed domain name when default_domain_suffix is set. [NEEDINFO]

Summary: Mismatch between input and parsed domain name when default_domain_suffix is set.

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-03-03 23:04 UTC by Chance Callahan
Modified:	2023-08-14 08:27 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	vvanhaft: needinfo? (sbose)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-114433	0	None	None	None	2022-03-03 23:09:48 UTC
Red Hat Issue Tracker	SSSD-4536	0	None	None	None	2022-03-31 13:04:42 UTC

Description Chance Callahan 2022-03-03 23:04:29 UTC

Description of problem:

There are two domains, AD (example.com), and IPA (linux.example.com) in a trust. When a user sets "default_domain_suffix = example.com" in their sssd.conf, users that login using the FQDN for the IPA domain (jdoe.com) get hit with a mismatch error:

   *  (2022-03-01  8:30:35): [ssh] [get_client_cred] (0x4000): Client [0x55ad47436280][23] creds: euid[65534] egid[65534] pid[7640] cmd_line['/usr/bin/sss_ssh_authorizedkeys'].
   *  (2022-03-01  8:30:35): [ssh] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x55ad47436280][23]
   *  (2022-03-01  8:30:35): [ssh] [accept_fd_handler] (0x0400): Client [CID #1][cmd /usr/bin/sss_ssh_authorizedkeys][0x55ad47436280][23] connected!
   *  (2022-03-01  8:30:35): [ssh] [sss_cmd_get_version] (0x0200): Received client version [0].
   *  (2022-03-01  8:30:35): [ssh] [sss_cmd_get_version] (0x0200): Offered version [0].
   *  (2022-03-01  8:30:35): [ssh] [ssh_protocol_parse_request] (0x0400): Requested domain [example.com]
   *  (2022-03-01  8:30:35): [ssh] [ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [jdoe.com] from [example.com]
   *  (2022-03-01  8:30:35): [ssh] [cache_req_set_plugin] (0x2000): CR #0: Setting "User by name" plugin
   *  (2022-03-01  8:30:35): [ssh] [cache_req_send] (0x0400): CR #0: REQ_TRACE: New request [CID #1] 'User by name'
   *  (2022-03-01  8:30:35): [ssh] [cache_req_process_input] (0x0400): CR #0: Parsing input name [jdoe.com]
   *  (2022-03-01  8:30:35): [ssh] [sss_domain_get_state] (0x1000): Domain implicit_files is Active
   *  (2022-03-01  8:30:35): [ssh] [sss_domain_get_state] (0x1000): Domain linux.example.com is Active
   *  (2022-03-01  8:30:35): [ssh] [sss_parse_name_for_domains] (0x0200): name 'jdoe.com' matched expression for domain 'linux.example.com', user is jdoe
   *  (2022-03-01  8:30:35): [ssh] [cache_req_input_parsed] (0x0020): Mismatch between input domain name [example.com] and parsed domain name [linux.example.com]

Version-Release number of selected component (if applicable):

SSSD 2.5.2-2.el8_5.4.x86_64

How reproducible:

Consistently.

Steps to Reproduce:
1. Create environment similar to one described above.
2. Set "default_domain_suffix = example.com"
3. Attempt to login.

Actual results:

See above.

Expected results:

SSSD hands off the SSH key to OpenSSH and then the key is evaluated by OpenSSH.

Additional info:

Comment 1 Sumit Bose 2022-03-31 12:30:31 UTC

Hi,

thanks for the report, I can reproduce it. It looks like an issue specific to the ssh responder since it is working find with the nss responder. I will have a close look.

bye,
Sumit

Note You need to log in before you can comment on or make changes to this bug.