Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mismatch between input and parsed domain name when default_domain_suffix is set. #7671

Closed
sumit-bose opened this issue Oct 29, 2024 · 1 comment
Closed

Mismatch between input and parsed domain name when default_domain_suffix is set. #7671

sumit-bose opened this issue Oct 29, 2024 · 1 comment
Assignees
@sumit-bose
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.

Comments

@sumit-bose
Copy link
Contributor

This issue is cloned from https://issues.redhat.com/browse/RHEL-4984

Description of problem:

There are two domains, AD (example.com), and IPA (linux.example.com) in a trust. When a user sets "default_domain_suffix = example.com" in their sssd.conf, users that login using the FQDN for the IPA domain (jdoe@linux.example.com) get hit with a mismatch error:

  *  (2022-03-01  8:30:35): [ssh] [get_client_cred] (0x4000): Client [0x55ad47436280][23] creds: euid[65534] egid[65534] pid[7640] cmd_line['/usr/bin/sss_ssh_authorizedkeys'].
  *  (2022-03-01  8:30:35): [ssh] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x55ad47436280][23]
  *  (2022-03-01  8:30:35): [ssh] [accept_fd_handler] (0x0400): Client [CID #1][cmd /usr/bin/sss_ssh_authorizedkeys][0x55ad47436280][23] connected!
  *  (2022-03-01  8:30:35): [ssh] [sss_cmd_get_version] (0x0200): Received client version [0].
  *  (2022-03-01  8:30:35): [ssh] [sss_cmd_get_version] (0x0200): Offered version [0].
  *  (2022-03-01  8:30:35): [ssh] [ssh_protocol_parse_request] (0x0400): Requested domain [example.com]
  *  (2022-03-01  8:30:35): [ssh] [ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [jdoe@linux.example.com] from [example.com]
  *  (2022-03-01  8:30:35): [ssh] [cache_req_set_plugin] (0x2000): CR #0: Setting "User by name" plugin
  *  (2022-03-01  8:30:35): [ssh] [cache_req_send] (0x0400): CR #0: REQ_TRACE: New request [CID #1] 'User by name'
  *  (2022-03-01  8:30:35): [ssh] [cache_req_process_input] (0x0400): CR #0: Parsing input name [jdoe@linux.example.com]
  *  (2022-03-01  8:30:35): [ssh] [sss_domain_get_state] (0x1000): Domain implicit_files is Active
  *  (2022-03-01  8:30:35): [ssh] [sss_domain_get_state] (0x1000): Domain linux.example.com is Active
  *  (2022-03-01  8:30:35): [ssh] [sss_parse_name_for_domains] (0x0200): name 'jdoe@linux.example.com' matched expression for domain 'linux.example.com', user is jdoe
  *  (2022-03-01  8:30:35): [ssh] [cache_req_input_parsed] (0x0020): Mismatch between input domain name [example.com] and parsed domain name [linux.example.com]

Version-Release number of selected component (if applicable):

SSSD 2.5.2-2.el8_5.4.x86_64

How reproducible:

Consistently.

Steps to Reproduce:
1. Create environment similar to one described above.
2. Set "default_domain_suffix = example.com"
3. Attempt to login.

Actual results:

See above.

Expected results:

SSSD hands off the SSH key to OpenSSH and then the key is evaluated by OpenSSH.

Additional info:
@sumit-bose sumit-bose self-assigned this Oct 29, 2024
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Oct 30, 2024
@sumit-bose
ssh: do not use default_domain_suffix
9260a3f 
The default_domain_suffix is already handled in the generic cache
request code and the additional enforcement in the ssh responder might
cause issue if fully-qualified names are used as input.

With this change the ssh responder handles request data similar to the
nss responder e.g. in sss_nss_protocol_parse_name().

Resolves: SSSD#7671
@sumit-bose sumit-bose mentioned this issue Oct 30, 2024
Closed
alexey-tikhonov pushed a commit that referenced this issue Nov 14, 2024
@sumit-bose @alexey-tikhonov
ssh: do not use default_domain_suffix
76ce51d 
The default_domain_suffix is already handled in the generic cache
request code and the additional enforcement in the ssh responder might
cause issue if fully-qualified names are used as input.

With this change the ssh responder handles request data similar to the
nss responder e.g. in sss_nss_protocol_parse_name().

Resolves: #7671

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
(cherry picked from commit ffec45b)
alexey-tikhonov pushed a commit that referenced this issue Nov 14, 2024
@sumit-bose @alexey-tikhonov
ssh: do not use default_domain_suffix
d456f13 
The default_domain_suffix is already handled in the generic cache
request code and the additional enforcement in the ssh responder might
cause issue if fully-qualified names are used as input.

With this change the ssh responder handles request data similar to the
nss responder e.g. in sss_nss_protocol_parse_name().

Resolves: #7671

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
(cherry picked from commit ffec45b)
@alexey-tikhonov
Copy link
Member

Pushed PR: #7635

  • master
    • fb91349 - responders: deprecate default_domain_suffix option
    • ffec45b - ssh: do not use default_domain_suffix
  • sssd-2-10
    • d89edf8 - responders: deprecate default_domain_suffix option
    • 76ce51d - ssh: do not use default_domain_suffix
  • sssd-2-9
    • 698a751 - responders: deprecate default_domain_suffix option
    • d456f13 - ssh: do not use default_domain_suffix

@alexey-tikhonov alexey-tikhonov added the Closed: Fixed Issue was closed as fixed. label Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumit-bose sumit-bose

Labels
Bugzilla Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ssh: do not use default_domain_suffix sumit-bose/sssd
2 participants
@sumit-bose @alexey-tikhonov