[Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

Jon three18ti at gmail.com
Wed Jan 27 21:49:11 UTC 2016 

Hi Alexander,

Huzzah!

Thanks for explaining how gethostname() works.  At least armed with this
information I can make a case to the powers that be why we need to make a
change like this.

So does this mean that all servers should have a fqdn in /etc/hostname or
in the case of RHEL6 setting the HOSTNAME variable in
/etc/sysconfig/network?

Thanks a ton for your help!

Best Regards,
Jon A


On Wed, Jan 27, 2016 at 3:16 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Wed, 27 Jan 2016, Jon wrote:
>
>> Hi Alexander,
>>
>> I've changed the names to anonymize the logs, but have maintained the
>> structure of the names.
>>
>> This is how I've got the hostname configured:
>>
>> [root at freeipaserver ~]# hostname
>>>> freeipaserver
>>>> [root at freeipaserver ~]# hostname -a
>>>> freeipaserver
>>>> [root at freeipaserver ~]# hostname -f
>>>> freeipaserver.my.sub.domain.com
>>>> [root at freeipaserver ~]# cat /etc/hosts
>>>> 127.0.0.1   localhost localhost.localdomain localhost4
>>>>
>>> localhost4.localdomain4
>>
>>> ::1         localhost localhost.localdomain localhost6
>>>>
>>> localhost6.localdomain6
>>
>>>
>>>> 192.168.1.10 freeipaserver.my.sub.domain.com freeipaserver
>>>>
>>>> [root at freeipaserver ~]# cat /etc/sysconfig/network
>>>> DNS1=192.168.10.1
>>>> NISDOMAIN=my.sub.domain.com
>>>> GATEWAY=192.168.1.1
>>>> SEARCH=my.sub.domain.com
>>>> DOMAIN=my.sub.domain.com
>>>>
>>>
>> (NISDOMAIN and DOMAIN were previous attempts to set the domain.  I can't
>> just set /etc/hostname to "freeipaserver" as a bash prompt that says [
>> root at freeipaserver.my.sub.domain.com ~] is unacceptable to our ops teams,
>> and we can't rewrite our bashrcs (these are company standards).  However,
>> based on the instructions, I do believe I've set the hostname correctly
>> unless something has changed between RHEL6 and RHEL7).
>>
> So this is not going to work, sorry.
>
> One way or another, Kerberos requires you to have uniform names, so
> freeipaserver and freeipaserver.my.sub.domain.com are different names
> and thus cifs/freeipaserver at REALM and
> cifs/freeipaserver.my.sub.domain.com at REALM
> are two different Kerberos principals. FreeIPA KDC does not support
> aliases.
>
> Almost all software using Kerberos is retrieving hostname using
> gethostname() call which, in turn, uses uname() system call and copies
> hostname from a nodename element of the returned structure. There is no
> code that complements nodename with default domain or something, so
> that output has to be fully qualified or ALL hosts in your deployment
> would need to non-fully qualified.
>
> `hostname` output is essentially giving you what uname() returns in
> nodename, while `hostname -f` appends default domain to it.
>
> Company standards may be important but in this case your bashrc code is
> clearly based on something that is not really taking Kerberos reality
> into account.
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160127/96244923/attachment.htm>

More information about the Freeipa-users mailing list