[Freeipa-users] Certificate and key problems in Linux

Dmitri Pal dpal at redhat.com
Sat Mar 21 00:32:14 UTC 2015 

On 03/20/2015 08:18 PM, nathan at nathanpeters.com wrote:
>>> Actually this was the problem :
>>>
>>> I had added the following line to the [sssd] section of sssd.conf :
>>> [sssd]
>>> default_domain_suffix = addomain.net
>>>
>>> The reason I had added this is because our business asked if our active
>>> directory trusted users can be allowed to login without entering their
>>> fqdn.  Setting the default_domain_suffix allows them to just login as
>>> 'aduser' instead of 'aduser at addomain.net'.
>>>
>>> However, this apparently breaks host key checking.  Turning debugging on
>>> the sssd up to 9 revealed that it was appending the
>>> default_domain_suffix
>>> line to all hostnames (fully qualified and not) before asking FreeIPA
>>> for
>>> their host keys:
>>>
>>> (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next]
>>> (0x0400): Requesting SSH host public keys for
>>> [ipaclient1-sandbox-atdev-van.ipadomain.net at addomain.net]
>>> (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts]
>>> (0x0400):
>>> No such host
>>>
>>> So 2 more questions:
>>> 1. Is this a bug?
>>>
>>> 2. If it is not a bug or is expected behavior, is there a way to both
>>> A) Have ad users able to login as 'aduser' instead of
>>> 'aduser at addomain.net'
>>> AND
>>> B) Still get host key checking working properly?
>>>
>>>
>> Probably a bug.
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
> Hmm, if it is a bug, it still exists in the newest sssd (1.12.3-2.el7)
> because I just tested it on the newest CentOS 7 client and without
> default_domain_suffix set I get host key checking, but with it set, it is
> failing just like it did on CentOS 6 with the older sssd.
>
> Is there a good place to report that bug so it can hopefully get fixed?
>
>
Let us wait till Monday.
I CCed Jakub. He will be able to confirm whether this is a bug or not.
If it is in fact a bug here is where to file it: 
https://fedorahosted.org/sssd/ you need a Fedora login to do it.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list