Correction, its primary/instance@REALM On Aug 8, 2014 10:57 AM, "brendan kearney" <bpk...@gmail.com> wrote:
> Kerberos is dependent on A records in dns. The instance (as in > principal/instance@REALM) should match the A record in dns. > > There is absolutely no Kerberos dependency on hostnames being fully > qualified. I have all my devices named with short names and I have no > issues with Kerberos ticketing. > > This seems to be an artificial requirement in FreeIPA that is wrong. > On Aug 8, 2014 8:54 AM, "Bruno Henrique Barbosa" < > bruno-barb...@prodesan.com.br> wrote: > >> Hello everyone, >> >> I'm running through an issue where an application needs its server's >> hostname to be in short name format, such as "server" and not " >> server.example.com". When I started deploying FreeIPA in the very >> beginning of this year, I remember I couldn't install freeipa-client with a >> bare "ipa-client install", because of this: >> >> ____________ >> >> [root@server ~]# hostname >> server >> [root@server ~]# hostname -f >> server.example.com >> [root@server ~]# ipa-client-install >> Discovery was successful! >> Hostname: server.example.com >> Realm: EXAMPLE.COM >> DNS Domain: example.com >> IPA Server: ipa01.example.com >> Base DN: dc=example,dc=com >> >> Continue to configure the system with these values? [no] yes >> User authorized to enroll computers: admin >> Synchronizing time with KDC... >> Unable to sync time with IPA NTP Server, assuming the time is in sync. >> Please check that port 123 UDP is opened. >> Password for ad...@example.com: >> Joining realm failed: The hostname must be fully-qualified: server >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> ________________ >> >> So, using the short name as hostname didn't work for install, I then make >> it like "ipa-client install --hostname=`hostname -f` --mkhomedir -N", and >> it installs and works like a charm, BUT it updates the machine's hostname >> to FQDN. >> >> What I tested and, at first, worked: after deploying and ipa-client >> installation with those parameters which work, renaming the machine back to >> a short name AT FIRST is not causing any problems. I can login with my ssh >> rules perfectly, but I don't find any IPA technical docs saying it >> will/won't work if I change the hostname back to short name and not FQDN. >> >> Searching for it, I found on RedHat guide: "The hostname of a system is >> critical for the correct operation of Kerberos and SSL. Both of these >> security mechanisms rely on the hostname to ensure that communication is >> occurring between the specified hosts." >> I've also found this message >> http://osdir.com/ml/freeipa-users/2012-03/msg00006.html which seems to >> be related to my case, but what I need to know is: where does it state FQDN >> is a mandatory requirement in order to FreeIPA to work and/or is there >> anything else (a patch, update, whatever) to solve this issue, so I don't >> need to change my applications? >> >> Thank you and sorry for the wall of a text. >> >> PS: Enviroment is CentOS 6.5, in both IPA server and client. DNS is not >> the same server as IPA (it forwards to a Windows DC). >> >> RPMs: >> libipa_hbac-1.9.2-129.el6_5.4.x86_64 >> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> ipa-admintools-3.0.0-37.el6.x86_64 >> ipa-server-selinux-3.0.0-37.el6.x86_64 >> ipa-server-3.0.0-37.el6.x86_64 >> ipa-python-3.0.0-37.el6.x86_64 >> ipa-client-3.0.0-37.el6.x86_64 >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project