[Freeipa-users] FreeIPA and FQDN requirements

Petr Spacek pspacek at redhat.com
Fri Aug 8 19:46:08 UTC 2014 

Hello,

On 8.8.2014 21:16, brendan kearney wrote:
> Maybe I am reading too far into rfc 1178, but I hardly think making
> hostnames required to be fqdns is in anybodys interest.  It is not a
> requirement now in any other technology anywhere, so what is the impetus to
> push it?  I dont see any value in it

First of all, feel free to experiment with FreeIPA and let us know what we did 
wrong. Messages like 'I have removed all the checks and it still passes all 
test even with short name!' are welcome :-)


As you said, Kerberos technically does not require FQDN but it is important to 
note that the machine name have to be stable and unique inside given Kerberos 
realm because the name is used as lookup key in keytab file and KDC database.

Assume that FQDN is constructed as static hostname.domainname from DHCP or via 
reverse DNS lookup. What happens if the machine (laptop) moves from one 
network to another? What if the machine have multiple interfaces?

As a result, any change in FQDN will break your Kerberos setup.

See $ man 1 domainname

"   THE FQDN
[...]
If a machine has multiple network interfaces/addresses or is used in a mobile 
environment, then it may either have multiple FQDNs/domain names or  none  at 
  all. Therefore  avoid using hostname --fqdn, hostname --domain and 
dnsdomainname.  hostname --ip-address is subject to the same limitations so it 
should be avoided as well.
"

Ideas and patches solving this problem are welcome. Have a nice day!

Petr^2 Spacek

> On Aug 8, 2014 2:37 PM, "Rich Megginson" <rmeggins at redhat.com> wrote:
>
>>   On 08/08/2014 12:21 PM, brendan kearney wrote:
>>
>> Double check your example.  -h means the hostname of the ldap server to
>> connect to and issue your query to.  Man page calls it ldaphost.
>>
>>
>> Yes.
>>
>>   I have not run across a client that does cert validation using ldap.  Is
>> that IPA specific?
>>
>>
>> I'm not talking about cert validation using ldap.  I'm talking about the
>> fact that, by default, the ldapsearch client will expect the hostname you
>> pass in to match the hostname in the ssl server cert subject DN.
>>
>>   It seems that a lot of effort is being spent to justify a dependency on
>> fully qualified hostnames, when there is no reason to require it.  In fact,
>> it may even break somethings or even violate some rfc.
>>
>>
>> If requiring fully qualified hostnames violates RFCs or other standards,
>> I'd like to hear about it.
>>
>>   On Aug 8, 2014 1:43 PM, "Rich Megginson" <rmeggins at redhat.com> wrote:
>>
>>>   On 08/08/2014 11:17 AM, brendan kearney wrote:
>>>
>>> The cert should have the fqdn, just like the kerberos instance, but the
>>> hostname is not required to be fq'd.  The lookup of a short name, as well
>>> as and more specifically the IP, in dns will result in the fqdn being
>>> returned by dns (the short name resolution being affected by domain and
>>> search directives in resolv.conf and the origin directive in dns if either
>>> of those are absent).
>>>
>>> Back to the point, dns lookup for cert matching is not dependent on
>>> hostnames.  PTR lookups will always return fqdns, so a dependency on fqdns
>>> as hostnames is artificial,  no?
>>>
>>>
>>> Most clients will also do the additional step of matching the hostname in
>>> the cert against the originally given hostname.  For example, with
>>> ldapsearch:
>>>
>>> ldapsearch -xLLLZZ -h hostname ...
>>>
>>> This will fail if the server cert for hostname has
>>> "cn=hostname.domain.tld"
>>>
>>>   On Aug 8, 2014 1:03 PM, "Rich Megginson" <rmeggins at redhat.com> wrote:
>>>
>>>>   On 08/08/2014 10:56 AM, brendan kearney wrote:
>>>>
>>>> Arent all of those lookups done in dns?
>>>>
>>>>
>>>> Yes.
>>>>
>>>>   Wouldnt that mean hostnames being fqdn's is irrelevant?
>>>>
>>>>
>>>> Not sure what you mean.
>>>>
>>>> I guess if you issued your server certs with a subject DN of
>>>> "cn=hostname", instead of "cn=hostname.domain.tld", and you had the DNS PTR
>>>> lookups configured so that w.x.y.z returned "hostname" instead of
>>>> "hostname.domain.tld", then TLS/SSL would work.
>>>>
>>>>   On Aug 8, 2014 12:11 PM, "Rich Megginson" <rmeggins at redhat.com> wrote:
>>>>
>>>>>   On 08/08/2014 08:57 AM, brendan kearney wrote:
>>>>>
>>>>> Kerberos is dependent on A records in dns.  The instance (as in
>>>>> principal/instance at REALM) should match the A record in dns.
>>>>>
>>>>> There is absolutely no Kerberos dependency on hostnames being fully
>>>>> qualified.  I have all my devices named with short names and I have no
>>>>> issues with Kerberos ticketing.
>>>>>
>>>>> This seems to be an artificial requirement in FreeIPA that is wrong.
>>>>>
>>>>>
>>>>> The other hostname requirement is for TLS/SSL, for MITM checking.  By
>>>>> default, when an SSL server cert is issued, the subject DN contains cn=fqdn
>>>>> as the leftmost component.  clients use this fqdn to verify the server.
>>>>> That is, client knows the IP address of the server - client does a reverse
>>>>> lookup (i.e. PTR) to see if the server returned by that lookup matches the
>>>>> cn=fqdn in the server cert.  This requires reverse lookups are configured
>>>>> and that the fqdn is the first name/alias returned.
>>>>>
>>>>>   On Aug 8, 2014 8:54 AM, "Bruno Henrique Barbosa" <
>>>>> bruno-barbosa at prodesan.com.br> wrote:
>>>>>
>>>>>>   Hello everyone,
>>>>>>
>>>>>> I'm running through an issue where an application needs its server's
>>>>>> hostname to be in short name format, such as "server" and not "
>>>>>> server.example.com". When I started deploying FreeIPA in the very
>>>>>> beginning of this year, I remember I couldn't install freeipa-client with a
>>>>>> bare "ipa-client install", because of this:
>>>>>>
>>>>>> ____________
>>>>>>
>>>>>> [root at server ~]# hostname
>>>>>> server
>>>>>> [root at server ~]# hostname -f
>>>>>> server.example.com
>>>>>> [root at server ~]# ipa-client-install
>>>>>> Discovery was successful!
>>>>>> Hostname: server.example.com
>>>>>> Realm: EXAMPLE.COM
>>>>>> DNS Domain: example.com
>>>>>> IPA Server: ipa01.example.com
>>>>>> Base DN: dc=example,dc=com
>>>>>>
>>>>>> Continue to configure the system with these values? [no] yes
>>>>>> User authorized to enroll computers: admin
>>>>>> Synchronizing time with KDC...
>>>>>> Unable to sync time with IPA NTP Server, assuming the time is in sync.
>>>>>> Please check that port 123 UDP is opened.
>>>>>> Password for admin at EXAMPLE.COM:
>>>>>> Joining realm failed: The hostname must be fully-qualified: server
>>>>>> Installation failed. Rolling back changes.
>>>>>> IPA client is not configured on this system.
>>>>>>
>>>>>> ________________
>>>>>>
>>>>>> So, using the short name as hostname didn't work for install, I then
>>>>>> make it like "ipa-client install --hostname=`hostname -f` --mkhomedir -N",
>>>>>> and it installs and works like a charm, BUT it updates the machine's
>>>>>> hostname to FQDN.
>>>>>>
>>>>>> What I tested and, at first, worked: after deploying and ipa-client
>>>>>> installation with those parameters which work, renaming the machine back to
>>>>>> a short name AT FIRST is not causing any problems. I can login with my ssh
>>>>>> rules perfectly, but I don't find any IPA technical docs saying it
>>>>>> will/won't work if I change the hostname back to short name and not FQDN.
>>>>>>
>>>>>> Searching for it, I found on RedHat guide: "The hostname of a system
>>>>>> is critical for the correct operation of Kerberos and SSL. Both of these
>>>>>> security mechanisms rely on the hostname to ensure that communication is
>>>>>> occurring between the specified hosts."
>>>>>> I've also found this message
>>>>>> http://osdir.com/ml/freeipa-users/2012-03/msg00006.html which seems
>>>>>> to be related to my case, but what I need to know is: where does it state
>>>>>> FQDN is a mandatory requirement in order to FreeIPA to work and/or is there
>>>>>> anything else (a patch, update, whatever) to solve this issue, so I don't
>>>>>> need to change my applications?
>>>>>>
>>>>>> Thank you and sorry for the wall of a text.
>>>>>>
>>>>>> PS: Enviroment is CentOS 6.5, in both IPA server and client. DNS is
>>>>>> not the same server as IPA (it forwards to a Windows DC).
>>>>>>
>>>>>> RPMs:
>>>>>> libipa_hbac-1.9.2-129.el6_5.4.x86_64
>>>>>> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
>>>>>> python-iniparse-0.3.1-2.1.el6.noarch
>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>>>> ipa-admintools-3.0.0-37.el6.x86_64
>>>>>> ipa-server-selinux-3.0.0-37.el6.x86_64
>>>>>> ipa-server-3.0.0-37.el6.x86_64
>>>>>> ipa-python-3.0.0-37.el6.x86_64
>>>>>> ipa-client-3.0.0-37.el6.x86_64

More information about the Freeipa-users mailing list