Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

Wed, 27 Jan 2016 13:19:51 -0800 

On Wed, 27 Jan 2016, Jon wrote:

Hi Alexander,

I've changed the names to anonymize the logs, but have maintained the
structure of the names.

This is how I've got the hostname configured:


[root@freeipaserver ~]# hostname
freeipaserver
[root@freeipaserver ~]# hostname -a
freeipaserver
[root@freeipaserver ~]# hostname -f
freeipaserver.my.sub.domain.com
[root@freeipaserver ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4

localhost4.localdomain4

::1         localhost localhost.localdomain localhost6

localhost6.localdomain6


192.168.1.10 freeipaserver.my.sub.domain.com freeipaserver

[root@freeipaserver ~]# cat /etc/sysconfig/network
DNS1=192.168.10.1
NISDOMAIN=my.sub.domain.com
GATEWAY=192.168.1.1
SEARCH=my.sub.domain.com
DOMAIN=my.sub.domain.com


(NISDOMAIN and DOMAIN were previous attempts to set the domain.  I can't
just set /etc/hostname to "freeipaserver" as a bash prompt that says [
r...@freeipaserver.my.sub.domain.com ~] is unacceptable to our ops teams,
and we can't rewrite our bashrcs (these are company standards).  However,
based on the instructions, I do believe I've set the hostname correctly
unless something has changed between RHEL6 and RHEL7).

So this is not going to work, sorry.

One way or another, Kerberos requires you to have uniform names, so
freeipaserver and freeipaserver.my.sub.domain.com are different names
and thus cifs/freeipaserver@REALM and cifs/freeipaserver.my.sub.domain.com@REALM
are two different Kerberos principals. FreeIPA KDC does not support aliases.

Almost all software using Kerberos is retrieving hostname using
gethostname() call which, in turn, uses uname() system call and copies
hostname from a nodename element of the returned structure. There is no
code that complements nodename with default domain or something, so
that output has to be fully qualified or ALL hosts in your deployment
would need to non-fully qualified.

`hostname` output is essentially giving you what uname() returns in
nodename, while `hostname -f` appends default domain to it.

Company standards may be important but in this case your bashrc code is
clearly based on something that is not really taking Kerberos reality
into account.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to