[Freeipa-users] FreeIPA and FQDN requirements
Alexander Bokovoy
abokovoy at redhat.com
Fri Aug 8 13:16:02 UTC 2014
On Fri, 08 Aug 2014, Bruno Henrique Barbosa wrote:
>Hello everyone,
>
>I'm running through an issue where an application needs its server's
>hostname to be in short name format, such as "server" and not
>"server.example.com". When I started deploying FreeIPA in the very
>beginning of this year, I remember I couldn't install freeipa-client
>with a bare "ipa-client install", because of this:
>
>____________
>
>[root at server ~] # hostname
>server
>[root at server ~]# hostname -f
>server.example.com
>[root at server ~]# ipa-client-install
>Discovery was successful!
>Hostname: server.example.com
>Realm: EXAMPLE.COM
>DNS Domain: example.com
>IPA Server: ipa01.example.com
>Base DN: dc=example,dc=com
>
>Continue to configure the system with these values? [no] yes
>User authorized to enroll computers: admin
>Synchronizing time with KDC...
>Unable to sync time with IPA NTP Server, assuming the time is in sync. Please check that port 123 UDP is opened.
>Password for admin at EXAMPLE.COM:
>Joining realm failed: The hostname must be fully-qualified: server
>Installation failed. Rolling back changes.
>IPA client is not configured on this system.
>
>________________
>
>So, using the short name as hostname didn't work for install, I then
>make it like "ipa-client install --hostname=`hostname -f` --mkhomedir
>-N", and it installs and works like a charm, BUT it updates the
>machine's hostname to FQDN.
>
>What I tested and, at first, worked: after deploying and ipa-client
>installation with those parameters which work, renaming the machine
>back to a short name AT FIRST is not causing any problems. I can login
>with my ssh rules perfectly, but I don't find any IPA technical docs
>saying it will/won't work if I change the hostname back to short name
>and not FQDN.
>
>Searching for it, I found on RedHat guide: "The hostname of a system is
>critical for the correct operation of Kerberos and SSL. Both of these
>security mechanisms rely on the hostname to ensure that communication
>is occurring between the specified hosts."
>I've also found this message
>http://osdir.com/ml/freeipa-users/2012-03/msg00006.html which seems to
>be related to my case, but what I need to know is: where does it state
>FQDN is a mandatory requirement in order to FreeIPA to work and/or is
>there anything else (a patch, update, whatever) to solve this issue, so
>I don't need to change my applications?
The requirement comes from Kerberos where a principal for a host-based
service has two components, a service name and a hostname. FreeIPA does
not have user-friendly means to associate additional hostname components
with the same service principal which means ldap/server at EXAMPLE.COM and
ldap/server.example.com at EXAMPLE.COM will be two different kerberos
principals, corresponding to two different services, each with its own
set of keys. Many applications are not prepared into trying multiple
keys from a keytab and only look for the name that is "canonical" for
the host, via getaddrinfo() call.
http://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list