Learn more about these different git repos.
Other Git URLs
FreeIPA includes the ability to have the sssd use a host key proxy to check for host keys on the server, rather than using the local known_hosts file, but it breaks if you use the default_domain_suffix
If you have setup your sssd with the following settings:
default_domain_suffix = addomain.net
use_fully_qualified_names = true
This allows active directory users from a trusted Active Directory domain to login to your FreeIPA clients by entering only 'adusername' at the login prompt instead of 'firstname.lastname@example.org'.
However, when you turn this setting on, it breaks host key checking. What happens is that the sssd is appending the default_domain_suffix all the time, whether it is needed or not.
Here are my sssd logs during a host key check when using ssh to connect from one FreeIPA host to another (same issue in FreeIPA 3.0.0/sssd 1.11 and 4.1.2 / sssd 1.12)
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [email@example.com]
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No such host
As you can see from the logs, even though I am sending it a fqdn (ipaclient1-sandbox-atdev-van.ipadomain.net it is still appending @addomain.net to the address before checking for a host key for that host.
Ideally, you would not want it to ever append the name, even if a fqdn is not given. Here is why I think this should be the default behavior.
The default_domain_suffix is meant to be applied to usernames when logging in. It is not meant to be applied to hostnames, especially since the fqdn is quite irrelevant when doing a host key check since you will always be looking for that host in the FreeIPA directory anyway.
Thank you for the bug report, I sent a patch to sssd-devel
owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned
milestone: NEEDS_TRIAGE => SSSD 1.13 alpha
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1206189
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1206189 1206189]
resolution: => fixed
status: assigned => closed
Metadata Update from @nathanpeters:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13 alpha
to comment on this ticket.