Mismatch between input and parsed domain name when default_domain_suffix is set.

[sumit-bose]

This issue is cloned from https://issues.redhat.com/browse/RHEL-4984

Description of problem:

There are two domains, AD (example.com), and IPA (linux.example.com) in a trust. When a user sets "default_domain_suffix = example.com" in their sssd.conf, users that login using the FQDN for the IPA domain (jdoe@linux.example.com) get hit with a mismatch error:

  *  (2022-03-01  8:30:35): [ssh] [get_client_cred] (0x4000): Client [0x55ad47436280][23] creds: euid[65534] egid[65534] pid[7640] cmd_line['/usr/bin/sss_ssh_authorizedkeys'].
  *  (2022-03-01  8:30:35): [ssh] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x55ad47436280][23]
  *  (2022-03-01  8:30:35): [ssh] [accept_fd_handler] (0x0400): Client [CID #1][cmd /usr/bin/sss_ssh_authorizedkeys][0x55ad47436280][23] connected!
  *  (2022-03-01  8:30:35): [ssh] [sss_cmd_get_version] (0x0200): Received client version [0].
  *  (2022-03-01  8:30:35): [ssh] [sss_cmd_get_version] (0x0200): Offered version [0].
  *  (2022-03-01  8:30:35): [ssh] [ssh_protocol_parse_request] (0x0400): Requested domain [example.com]
  *  (2022-03-01  8:30:35): [ssh] [ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [jdoe@linux.example.com] from [example.com]
  *  (2022-03-01  8:30:35): [ssh] [cache_req_set_plugin] (0x2000): CR #0: Setting "User by name" plugin
  *  (2022-03-01  8:30:35): [ssh] [cache_req_send] (0x0400): CR #0: REQ_TRACE: New request [CID #1] 'User by name'
  *  (2022-03-01  8:30:35): [ssh] [cache_req_process_input] (0x0400): CR #0: Parsing input name [jdoe@linux.example.com]
  *  (2022-03-01  8:30:35): [ssh] [sss_domain_get_state] (0x1000): Domain implicit_files is Active
  *  (2022-03-01  8:30:35): [ssh] [sss_domain_get_state] (0x1000): Domain linux.example.com is Active
  *  (2022-03-01  8:30:35): [ssh] [sss_parse_name_for_domains] (0x0200): name 'jdoe@linux.example.com' matched expression for domain 'linux.example.com', user is jdoe
  *  (2022-03-01  8:30:35): [ssh] [cache_req_input_parsed] (0x0020): Mismatch between input domain name [example.com] and parsed domain name [linux.example.com]

Version-Release number of selected component (if applicable):

SSSD 2.5.2-2.el8_5.4.x86_64

How reproducible:

Consistently.

Steps to Reproduce:
1. Create environment similar to one described above.
2. Set "default_domain_suffix = example.com"
3. Attempt to login.

Actual results:

See above.

Expected results:

SSSD hands off the SSH key to OpenSSH and then the key is evaluated by OpenSSH.

Additional info:

[alexey-tikhonov]

Pushed PR: #7635

• master
  • fb91349 - responders: deprecate default_domain_suffix option
  • ffec45b - ssh: do not use default_domain_suffix
• sssd-2-10
  • d89edf8 - responders: deprecate default_domain_suffix option
  • 76ce51d - ssh: do not use default_domain_suffix
• sssd-2-9
  • 698a751 - responders: deprecate default_domain_suffix option
  • d456f13 - ssh: do not use default_domain_suffix