[Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

Alexander Bokovoy abokovoy at redhat.com
Wed Jan 27 21:16:15 UTC 2016 

On Wed, 27 Jan 2016, Jon wrote:
>Hi Alexander,
>
>I've changed the names to anonymize the logs, but have maintained the
>structure of the names.
>
>This is how I've got the hostname configured:
>
>>> [root at freeipaserver ~]# hostname
>>> freeipaserver
>>> [root at freeipaserver ~]# hostname -a
>>> freeipaserver
>>> [root at freeipaserver ~]# hostname -f
>>> freeipaserver.my.sub.domain.com
>>> [root at freeipaserver ~]# cat /etc/hosts
>>> 127.0.0.1   localhost localhost.localdomain localhost4
>localhost4.localdomain4
>>> ::1         localhost localhost.localdomain localhost6
>localhost6.localdomain6
>>>
>>> 192.168.1.10 freeipaserver.my.sub.domain.com freeipaserver
>>>
>>> [root at freeipaserver ~]# cat /etc/sysconfig/network
>>> DNS1=192.168.10.1
>>> NISDOMAIN=my.sub.domain.com
>>> GATEWAY=192.168.1.1
>>> SEARCH=my.sub.domain.com
>>> DOMAIN=my.sub.domain.com
>
>(NISDOMAIN and DOMAIN were previous attempts to set the domain.  I can't
>just set /etc/hostname to "freeipaserver" as a bash prompt that says [
>root at freeipaserver.my.sub.domain.com ~] is unacceptable to our ops teams,
>and we can't rewrite our bashrcs (these are company standards).  However,
>based on the instructions, I do believe I've set the hostname correctly
>unless something has changed between RHEL6 and RHEL7).
So this is not going to work, sorry.

One way or another, Kerberos requires you to have uniform names, so
freeipaserver and freeipaserver.my.sub.domain.com are different names
and thus cifs/freeipaserver at REALM and cifs/freeipaserver.my.sub.domain.com at REALM
are two different Kerberos principals. FreeIPA KDC does not support aliases.

Almost all software using Kerberos is retrieving hostname using
gethostname() call which, in turn, uses uname() system call and copies
hostname from a nodename element of the returned structure. There is no
code that complements nodename with default domain or something, so
that output has to be fully qualified or ALL hosts in your deployment
would need to non-fully qualified.

`hostname` output is essentially giving you what uname() returns in
nodename, while `hostname -f` appends default domain to it.

Company standards may be important but in this case your bashrc code is
clearly based on something that is not really taking Kerberos reality
into account.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list