[Freeipa-users] FreeIPA and FQDN requirements
Bruno Henrique Barbosa
bruno-barbosa at prodesan.com.br
Fri Aug 8 12:51:55 UTC 2014
Hello everyone,
I'm running through an issue where an application needs its server's hostname to be in short name format, such as "server" and not "server.example.com". When I started deploying FreeIPA in the very beginning of this year, I remember I couldn't install freeipa-client with a bare "ipa-client install", because of this:
____________
[root at server ~] # hostname
server
[root at server ~]# hostname -f
server.example.com
[root at server ~]# ipa-client-install
Discovery was successful!
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa01.example.com
Base DN: dc=example,dc=com
Continue to configure the system with these values? [no] yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP Server, assuming the time is in sync. Please check that port 123 UDP is opened.
Password for admin at EXAMPLE.COM:
Joining realm failed: The hostname must be fully-qualified: server
Installation failed. Rolling back changes.
IPA client is not configured on this system.
________________
So, using the short name as hostname didn't work for install, I then make it like "ipa-client install --hostname=`hostname -f` --mkhomedir -N", and it installs and works like a charm, BUT it updates the machine's hostname to FQDN.
What I tested and, at first, worked: after deploying and ipa-client installation with those parameters which work, renaming the machine back to a short name AT FIRST is not causing any problems. I can login with my ssh rules perfectly, but I don't find any IPA technical docs saying it will/won't work if I change the hostname back to short name and not FQDN.
Searching for it, I found on RedHat guide: "The hostname of a system is critical for the correct operation of Kerberos and SSL. Both of these security mechanisms rely on the hostname to ensure that communication is occurring between the specified hosts."
I've also found this message http://osdir.com/ml/freeipa-users/2012-03/msg00006.html which seems to be related to my case, but what I need to know is: where does it state FQDN is a mandatory requirement in order to FreeIPA to work and/or is there anything else (a patch, update, whatever) to solve this issue, so I don't need to change my applications?
Thank you and sorry for the wall of a text.
PS: Enviroment is CentOS 6.5, in both IPA server and client. DNS is not the same server as IPA (it forwards to a Windows DC).
RPMs:
libipa_hbac-1.9.2-129.el6_5.4.x86_64
libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-3.0.0-37.el6.x86_64
ipa-server-selinux-3.0.0-37.el6.x86_64
ipa-server-3.0.0-37.el6.x86_64
ipa-python-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140808/e1a060cb/attachment.htm>
More information about the Freeipa-users
mailing list