Always qualify requests for admin in ipa-replica-conncheck

ipa-replica-conncheck connects to the master using an SSH command:
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
    -o GSSAPIAuthentication=yes <principal>@<master hostname> \
    echo OK

The issue is that the principal name is not fully qualified (for instance
'admin' is used, even if ipa-replica-conncheck was called with
--principal admin@EXAMPLE.COM).
When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
    [sssd]
    default_domain_suffix = ad.domain.com
this leads to the SSH connection failure because admin is not defined in
the default domain.

The fix uses the fully qualified principal name, and calls ssh with
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
    -o GSSAPIAuthentication=yes -o User=<principal> \
    <master hostname> echo OK
to avoid syntax issues with admin@DOMAIN@master

https://fedorahosted.org/freeipa/ticket/5812

Reviewed-By: Martin Basti <mbasti@redhat.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdf08d631..991f4e429 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -66,7 +66,9 @@ class SshExec(object):
             '-o StrictHostKeychecking=no',
             '-o UserKnownHostsFile=%s' % tmpf.name,
             '-o GSSAPIAuthentication=yes',
-            '%s@%s' % (self.user, self.addr), command
+            '-o User=%s' % self.user,
+            '%s' % self.addr,
+            command
         ]
         if verbose:
             cmd.insert(1, '-v')
@@ -517,7 +519,8 @@ def main():
             except Exception:
                 print_info("Retrying using SSH...")
 
-                user = principal.partition('@')[0]
+                # Ticket 5812 Always qualify requests for admin
+                user = principal
                 ssh = SshExec(user, options.master)
 
                 print_info("Check SSH connection to remote master")