https://bugzilla.redhat.com/show_bug.cgi?id=813884 (Red Hat Enterprise Linux 6)
Description of problem: After joining system successfully as ipa-client, Following message shown when i do ssh to ipa-server after kinit Error looking up public keys Last login: Wed Apr 18 21:43:55 2012 from 10.65.201.176 Could not chdir to home directory /home/admin: No such file or directory -bash-4.1$ Version-Release number of selected component (if applicable): [root@dhcp201-176 ~]# rpm -q ipa-client ipa-client-2.2.0-9.el6.x86_64 [root@dhcp201-176 ~]# How reproducible: Always Steps to Reproduce: 1.Install IPA Server 2.Join a system as ipa-client using ipa-client-install [root@dhcp201-176 ~]# ipa-client-install --domain=testrelm.com --realm=TESTRELM.COM -p admin -w Secret123 -U --server=ipa63server.testrelm.com Discovery was successful! Hostname: dhcp201-176.englab.pnq.redhat.com Realm: TESTRELM.COM DNS Domain: testrelm.com IPA Server: ipa63server.testrelm.com BaseDN: dc=testrelm,dc=com Synchronizing time with KDC... Enrolled in IPA realm TESTRELM.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.COM Warning: Could not update DNS SSHFP records. SSSD enabled NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@dhcp201-176 ~]# 3.kinit as admin [root@dhcp201-176 ~]# kinit admin Password for admin@TESTRELM.COM: [root@dhcp201-176 ~]# 4.ssh to ipa-server system. [root@dhcp201-176 ~]# ssh admin@ipa63server.testrelm.com Error looking up public keys Last login: Wed Apr 18 21:43:55 2012 from 10.65.201.176 Could not chdir to home directory /home/admin: No such file or directory -bash-4.1$ Actual results: Following message is shown "Error looking up public keys" Expected results: Message "Error looking up public keys" should not appear while doing ssh to ipa-server.
The issue here is that server SSHFP records are only filled when you install IPA via "ipa-server-install --setup-dns" because they are filled as a part of client installation.
When DNS support is installed separately (ipa-dns-install), SSHFP records for the server are not filled and clients connecting to the master will receive "Error looking up public keys" error.
That is a wrong guess, actually. This has nothing to do with SSHFP records, as they are not used for host authentication (not by default and definitely not here).
This error message can be seen when SSSD is misconfigured or when the user or host is not known to SSSD. So, this is either a misconfiguration or a SSSD bug.
Can you please post the output of:
$ /usr/bin/sss_ssh_authorizedkeys --debug 10 admin
and:
$ ssh -o ProxyCommand='/usr/bin/sss_ssh_knownhostsproxy --debug 10 -p %p %h' admin@ipa63server.testrelm.com
?
This is the output that jcholast requested:
# /usr/bin/sss_ssh_authorizedkeys --debug 10 admin (Thu Jun 7 05:48:18:186913 2012) [/usr/bin/sss_ssh_authorizedkeys] [main] (0x0020): sss_ssh_get_ent() failed (14): Bad address Error looking up public keys # ssh -o ProxyCommand='/usr/bin/sss_ssh_knownhostsproxy --debug 10 -p %p %h' admin@vm-125.idm.lab.bos.redhat.com (Thu Jun 7 05:49:28:107774 2012) [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0020): sss_ssh_get_ent() failed (14): Bad address Error looking up public keys The authenticity of host 'vm-125.idm.lab.bos.redhat.com (<no hostip for proxy command>)' can't be established. RSA key fingerprint is 6b:a2:26:6f:eb:66:ef:4d:93:b1:dd:ba:e7:6e:f6:b1. Are you sure you want to continue connecting (yes/no)? ^C
We discussed this issue in person, this is a real bug in SSSD and will be fixed as a part of SSSD ticket #1356, i.e. nothing to be done on IPA side at this moment.
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.0 Beta 1
Login to comment on this ticket.