Learn more about these different git repos.
Other Git URLs
FreeIPA includes the ability to have the sssd use a host key proxy to check for host keys on the server, rather than using the local known_hosts file, but it breaks if you use the default_domain_suffix
If you have setup your sssd with the following settings: default_domain_suffix = addomain.net use_fully_qualified_names = true
This allows active directory users from a trusted Active Directory domain to login to your FreeIPA clients by entering only 'adusername' at the login prompt instead of 'adusername@addomain.net'.
However, when you turn this setting on, it breaks host key checking. What happens is that the sssd is appending the default_domain_suffix all the time, whether it is needed or not.
Here are my sssd logs during a host key check when using ssh to connect from one FreeIPA host to another (same issue in FreeIPA 3.0.0/sssd 1.11 and 4.1.2 / sssd 1.12)
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipaclient1-sandbox-atdev-van.ipadomain.net@addomain.net] (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No such host
As you can see from the logs, even though I am sending it a fqdn (ipaclient1-sandbox-atdev-van.ipadomain.net it is still appending @addomain.net to the address before checking for a host key for that host.
Ideally, you would not want it to ever append the name, even if a fqdn is not given. Here is why I think this should be the default behavior.
The default_domain_suffix is meant to be applied to usernames when logging in. It is not meant to be applied to hostnames, especially since the fqdn is quite irrelevant when doing a host key check since you will always be looking for that host in the FreeIPA directory anyway.
Thank you for the bug report, I sent a patch to sssd-devel
owner: somebody => jhrozek patch: 0 => 1 status: new => assigned
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.13 alpha
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1206189
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1206189 1206189]
resolution: => fixed status: assigned => closed
Metadata Update from @nathanpeters: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.13 alpha
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3650
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.