freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#2657 'Error looking up public keys' message shown while doing ssh to ipa-server from ipa-client system

Created 4 years ago by mkosek
Modified a month ago

https://bugzilla.redhat.com/show_bug.cgi?id=813884 (Red Hat Enterprise Linux 6)

Description of problem:
After joining system successfully as ipa-client, Following message shown when i
do ssh to ipa-server after kinit

Error looking up public keys
Last login: Wed Apr 18 21:43:55 2012 from 10.65.201.176
Could not chdir to home directory /home/admin: No such file or directory
-bash-4.1$

Version-Release number of selected component (if applicable):
[root@dhcp201-176 ~]# rpm -q ipa-client
ipa-client-2.2.0-9.el6.x86_64
[root@dhcp201-176 ~]#


How reproducible:
Always

Steps to Reproduce:
1.Install IPA Server
2.Join a system as ipa-client using ipa-client-install

  [root@dhcp201-176 ~]# ipa-client-install --domain=testrelm.com
--realm=TESTRELM.COM -p admin -w Secret123 -U --server=ipa63server.testrelm.com
Discovery was successful!
Hostname: dhcp201-176.englab.pnq.redhat.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: ipa63server.testrelm.com
BaseDN: dc=testrelm,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
Warning: Could not update DNS SSHFP records.
SSSD enabled
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
[root@dhcp201-176 ~]#

3.kinit as admin

   [root@dhcp201-176 ~]# kinit admin
Password for admin@TESTRELM.COM:
[root@dhcp201-176 ~]#

4.ssh to ipa-server system.

  [root@dhcp201-176 ~]# ssh admin@ipa63server.testrelm.com
Error looking up public keys
Last login: Wed Apr 18 21:43:55 2012 from 10.65.201.176
Could not chdir to home directory /home/admin: No such file or directory
-bash-4.1$

Actual results:
    Following message is shown
    "Error looking up public keys"

Expected results:
    Message "Error looking up public keys" should not appear while doing ssh to
ipa-server.

The issue here is that server SSHFP records are only filled when you install
IPA via "ipa-server-install --setup-dns" because they are filled as a part of
client installation.

When DNS support is installed separately (ipa-dns-install), SSHFP records for
the server are not filled and clients connecting to the master will receive
"Error looking up public keys" error.

That is a wrong guess, actually. This has nothing to do with SSHFP records, as they are not used for host authentication (not by default and definitely not here).

This error message can be seen when SSSD is misconfigured or when the user or host is not known to SSSD. So, this is either a misconfiguration or a SSSD bug.

Can you please post the output of:

$ /usr/bin/sss_ssh_authorizedkeys --debug 10 admin

and:

$ ssh -o ProxyCommand='/usr/bin/sss_ssh_knownhostsproxy --debug 10 -p %p %h' admin@ipa63server.testrelm.com

?

This is the output that jcholast requested:

# /usr/bin/sss_ssh_authorizedkeys --debug 10 admin
(Thu Jun  7 05:48:18:186913 2012) [/usr/bin/sss_ssh_authorizedkeys] [main] (0x0020): sss_ssh_get_ent() failed (14): Bad address
Error looking up public keys

# ssh -o ProxyCommand='/usr/bin/sss_ssh_knownhostsproxy --debug 10 -p %p %h' admin@vm-125.idm.lab.bos.redhat.com
(Thu Jun  7 05:49:28:107774 2012) [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0020): sss_ssh_get_ent() failed (14): Bad address
Error looking up public keys
The authenticity of host 'vm-125.idm.lab.bos.redhat.com (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is 6b:a2:26:6f:eb:66:ef:4d:93:b1:dd:ba:e7:6e:f6:b1.
Are you sure you want to continue connecting (yes/no)? ^C

We discussed this issue in person, this is a real bug in SSSD and will be fixed as a part of SSSD ticket #1356, i.e. nothing to be done on IPA side at this moment.

a month ago

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.0 Beta 1

Login to comment on this ticket.

defect

0

DNS

https://bugzilla.redhat.com/show_bug.cgi?id=813884

cancel