4a7345e Always qualify requests for admin in ipa-replica-conncheck

1 file Authored by frenaud 7 years ago, Committed by mbasti 7 years ago,
    Always qualify requests for admin in ipa-replica-conncheck
    
    ipa-replica-conncheck connects to the master using an SSH command:
    ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
        -o GSSAPIAuthentication=yes <principal>@<master hostname> \
        echo OK
    
    The issue is that the principal name is not fully qualified (for instance
    'admin' is used, even if ipa-replica-conncheck was called with
    --principal admin@EXAMPLE.COM).
    When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
        [sssd]
        default_domain_suffix = ad.domain.com
    this leads to the SSH connection failure because admin is not defined in
    the default domain.
    
    The fix uses the fully qualified principal name, and calls ssh with
    ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
        -o GSSAPIAuthentication=yes -o User=<principal> \
        <master hostname> echo OK
    to avoid syntax issues with admin@DOMAIN@master
    
    https://fedorahosted.org/freeipa/ticket/5812
    
    Reviewed-By: Martin Basti <mbasti@redhat.com>