On 08/08/2014 08:57 AM, brendan kearney wrote:
Kerberos is dependent on A records in dns. The instance (as in
principal/instance@REALM) should match the A record in dns.
There is absolutely no Kerberos dependency on hostnames being fully
qualified. I have all my devices named with short names and I have no
issues with Kerberos ticketing.
This seems to be an artificial requirement in FreeIPA that is wrong.
The other hostname requirement is for TLS/SSL, for MITM checking. By
default, when an SSL server cert is issued, the subject DN contains
cn=fqdn as the leftmost component. clients use this fqdn to verify the
server. That is, client knows the IP address of the server - client
does a reverse lookup (i.e. PTR) to see if the server returned by that
lookup matches the cn=fqdn in the server cert. This requires reverse
lookups are configured and that the fqdn is the first name/alias returned.
On Aug 8, 2014 8:54 AM, "Bruno Henrique Barbosa"
<bruno-barb...@prodesan.com.br <mailto:bruno-barb...@prodesan.com.br>>
wrote:
Hello everyone,
I'm running through an issue where an application needs its
server's hostname to be in short name format, such as "server" and
not "server.example.com <http://server.example.com>". When I
started deploying FreeIPA in the very beginning of this year, I
remember I couldn't install freeipa-client with a bare "ipa-client
install", because of this:
____________
[root@server ~]# hostname
server
[root@server ~]# hostname -f
server.example.com <http://server.example.com>
[root@server ~]# ipa-client-install
Discovery was successful!
Hostname: server.example.com <http://server.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>
IPA Server: ipa01.example.com <http://ipa01.example.com>
Base DN: dc=example,dc=com
Continue to configure the system with these values? [no] yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP Server, assuming the time is in
sync. Please check that port 123 UDP is opened.
Password for ad...@example.com <mailto:ad...@example.com>:
Joining realm failed: The hostname must be fully-qualified: server
Installation failed. Rolling back changes.
IPA client is not configured on this system.
________________
So, using the short name as hostname didn't work for install, I
then make it like "ipa-client install --hostname=`hostname -f`
--mkhomedir -N", and it installs and works like a charm, BUT it
updates the machine's hostname to FQDN.
What I tested and, at first, worked: after deploying and
ipa-client installation with those parameters which work, renaming
the machine back to a short name AT FIRST is not causing any
problems. I can login with my ssh rules perfectly, but I don't
find any IPA technical docs saying it will/won't work if I change
the hostname back to short name and not FQDN.
Searching for it, I found on RedHat guide: "The hostname of a
system is critical for the correct operation of Kerberos and SSL.
Both of these security mechanisms rely on the hostname to ensure
that communication is occurring between the specified hosts."
I've also found this message
http://osdir.com/ml/freeipa-users/2012-03/msg00006.html which
seems to be related to my case, but what I need to know is: where
does it state FQDN is a mandatory requirement in order to FreeIPA
to work and/or is there anything else (a patch, update, whatever)
to solve this issue, so I don't need to change my applications?
Thank you and sorry for the wall of a text.
PS: Enviroment is CentOS 6.5, in both IPA server and client. DNS
is not the same server as IPA (it forwards to a Windows DC).
RPMs:
libipa_hbac-1.9.2-129.el6_5.4.x86_64
libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-3.0.0-37.el6.x86_64
ipa-server-selinux-3.0.0-37.el6.x86_64
ipa-server-3.0.0-37.el6.x86_64
ipa-python-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
