[Freeipa-users] FreeIPA and FQDN requirements
Rich Megginson
rmeggins at redhat.com
Fri Aug 8 17:43:11 UTC 2014
On 08/08/2014 11:17 AM, brendan kearney wrote:
>
> The cert should have the fqdn, just like the kerberos instance, but
> the hostname is not required to be fq'd. The lookup of a short name,
> as well as and more specifically the IP, in dns will result in the
> fqdn being returned by dns (the short name resolution being affected
> by domain and search directives in resolv.conf and the origin
> directive in dns if either of those are absent).
>
> Back to the point, dns lookup for cert matching is not dependent on
> hostnames. PTR lookups will always return fqdns, so a dependency on
> fqdns as hostnames is artificial, no?
>
Most clients will also do the additional step of matching the hostname
in the cert against the originally given hostname. For example, with
ldapsearch:
ldapsearch -xLLLZZ -h hostname ...
This will fail if the server cert for hostname has "cn=hostname.domain.tld"
> On Aug 8, 2014 1:03 PM, "Rich Megginson" <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 08/08/2014 10:56 AM, brendan kearney wrote:
>>
>> Arent all of those lookups done in dns?
>>
>
> Yes.
>
>> Wouldnt that mean hostnames being fqdn's is irrelevant?
>>
>
> Not sure what you mean.
>
> I guess if you issued your server certs with a subject DN of
> "cn=hostname", instead of "cn=hostname.domain.tld", and you had
> the DNS PTR lookups configured so that w.x.y.z returned "hostname"
> instead of "hostname.domain.tld", then TLS/SSL would work.
>
>> On Aug 8, 2014 12:11 PM, "Rich Megginson" <rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>> wrote:
>>
>> On 08/08/2014 08:57 AM, brendan kearney wrote:
>>>
>>> Kerberos is dependent on A records in dns. The instance (as
>>> in principal/instance at REALM) should match the A record in dns.
>>>
>>> There is absolutely no Kerberos dependency on hostnames
>>> being fully qualified. I have all my devices named with
>>> short names and I have no issues with Kerberos ticketing.
>>>
>>> This seems to be an artificial requirement in FreeIPA that
>>> is wrong.
>>>
>>
>> The other hostname requirement is for TLS/SSL, for MITM
>> checking. By default, when an SSL server cert is issued, the
>> subject DN contains cn=fqdn as the leftmost component.
>> clients use this fqdn to verify the server. That is, client
>> knows the IP address of the server - client does a reverse
>> lookup (i.e. PTR) to see if the server returned by that
>> lookup matches the cn=fqdn in the server cert. This requires
>> reverse lookups are configured and that the fqdn is the first
>> name/alias returned.
>>
>>> On Aug 8, 2014 8:54 AM, "Bruno Henrique Barbosa"
>>> <bruno-barbosa at prodesan.com.br
>>> <mailto:bruno-barbosa at prodesan.com.br>> wrote:
>>>
>>> Hello everyone,
>>>
>>> I'm running through an issue where an application needs
>>> its server's hostname to be in short name format, such
>>> as "server" and not "server.example.com
>>> <http://server.example.com>". When I started deploying
>>> FreeIPA in the very beginning of this year, I remember I
>>> couldn't install freeipa-client with a bare "ipa-client
>>> install", because of this:
>>>
>>> ____________
>>>
>>> [root at server ~]# hostname
>>> server
>>> [root at server ~]# hostname -f
>>> server.example.com <http://server.example.com>
>>> [root at server ~]# ipa-client-install
>>> Discovery was successful!
>>> Hostname: server.example.com <http://server.example.com>
>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
>>> DNS Domain: example.com <http://example.com>
>>> IPA Server: ipa01.example.com <http://ipa01.example.com>
>>> Base DN: dc=example,dc=com
>>>
>>> Continue to configure the system with these values? [no] yes
>>> User authorized to enroll computers: admin
>>> Synchronizing time with KDC...
>>> Unable to sync time with IPA NTP Server, assuming the
>>> time is in sync. Please check that port 123 UDP is opened.
>>> Password for admin at EXAMPLE.COM <mailto:admin at EXAMPLE.COM>:
>>> Joining realm failed: The hostname must be
>>> fully-qualified: server
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>> ________________
>>>
>>> So, using the short name as hostname didn't work for
>>> install, I then make it like "ipa-client install
>>> --hostname=`hostname -f` --mkhomedir -N", and it
>>> installs and works like a charm, BUT it updates the
>>> machine's hostname to FQDN.
>>>
>>> What I tested and, at first, worked: after deploying and
>>> ipa-client installation with those parameters which
>>> work, renaming the machine back to a short name AT FIRST
>>> is not causing any problems. I can login with my ssh
>>> rules perfectly, but I don't find any IPA technical docs
>>> saying it will/won't work if I change the hostname back
>>> to short name and not FQDN.
>>>
>>> Searching for it, I found on RedHat guide: "The hostname
>>> of a system is critical for the correct operation of
>>> Kerberos and SSL. Both of these security mechanisms rely
>>> on the hostname to ensure that communication is
>>> occurring between the specified hosts."
>>> I've also found this message
>>> http://osdir.com/ml/freeipa-users/2012-03/msg00006.html
>>> which seems to be related to my case, but what I need to
>>> know is: where does it state FQDN is a mandatory
>>> requirement in order to FreeIPA to work and/or is there
>>> anything else (a patch, update, whatever) to solve this
>>> issue, so I don't need to change my applications?
>>>
>>> Thank you and sorry for the wall of a text.
>>>
>>> PS: Enviroment is CentOS 6.5, in both IPA server and
>>> client. DNS is not the same server as IPA (it forwards
>>> to a Windows DC).
>>>
>>> RPMs:
>>> libipa_hbac-1.9.2-129.el6_5.4.x86_64
>>> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
>>> python-iniparse-0.3.1-2.1.el6.noarch
>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>> ipa-admintools-3.0.0-37.el6.x86_64
>>> ipa-server-selinux-3.0.0-37.el6.x86_64
>>> ipa-server-3.0.0-37.el6.x86_64
>>> ipa-python-3.0.0-37.el6.x86_64
>>> ipa-client-3.0.0-37.el6.x86_64
>>>
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>>>
>>>
>>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140808/cd7253c1/attachment.htm>
More information about the Freeipa-users
mailing list