[Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)
Alexander Bokovoy
abokovoy at redhat.com
Wed Jan 27 22:02:07 UTC 2016
On Wed, 27 Jan 2016, Jon wrote:
>Hi Alexander,
>
>Huzzah!
>
>Thanks for explaining how gethostname() works. At least armed with this
>information I can make a case to the powers that be why we need to make a
>change like this.
>
>So does this mean that all servers should have a fqdn in /etc/hostname or
>in the case of RHEL6 setting the HOSTNAME variable in
>/etc/sysconfig/network?
All servers should be returning fqdn output in `hostname` run, without
any additional options, e.g. not `hostname -f`.
In case of RHEL 7.x this means use of 'hostnamectl set-hostname f.q.d.n'
which would end up being the name stored in /etc/hostname
In case of RHEL 6.x this means setting HOSTNAME in /etc/sysconfig/network.
Of course, in both cases the first name for the host in /etc/hosts
should also be fqdn because this is the canonical name of the host -- in
case the host's IP address is set in /etc/hosts.
>
>Thanks a ton for your help!
>
>Best Regards,
>Jon A
>
>
>On Wed, Jan 27, 2016 at 3:16 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On Wed, 27 Jan 2016, Jon wrote:
>>
>>> Hi Alexander,
>>>
>>> I've changed the names to anonymize the logs, but have maintained the
>>> structure of the names.
>>>
>>> This is how I've got the hostname configured:
>>>
>>> [root at freeipaserver ~]# hostname
>>>>> freeipaserver
>>>>> [root at freeipaserver ~]# hostname -a
>>>>> freeipaserver
>>>>> [root at freeipaserver ~]# hostname -f
>>>>> freeipaserver.my.sub.domain.com
>>>>> [root at freeipaserver ~]# cat /etc/hosts
>>>>> 127.0.0.1 localhost localhost.localdomain localhost4
>>>>>
>>>> localhost4.localdomain4
>>>
>>>> ::1 localhost localhost.localdomain localhost6
>>>>>
>>>> localhost6.localdomain6
>>>
>>>>
>>>>> 192.168.1.10 freeipaserver.my.sub.domain.com freeipaserver
>>>>>
>>>>> [root at freeipaserver ~]# cat /etc/sysconfig/network
>>>>> DNS1=192.168.10.1
>>>>> NISDOMAIN=my.sub.domain.com
>>>>> GATEWAY=192.168.1.1
>>>>> SEARCH=my.sub.domain.com
>>>>> DOMAIN=my.sub.domain.com
>>>>>
>>>>
>>> (NISDOMAIN and DOMAIN were previous attempts to set the domain. I can't
>>> just set /etc/hostname to "freeipaserver" as a bash prompt that says [
>>> root at freeipaserver.my.sub.domain.com ~] is unacceptable to our ops teams,
>>> and we can't rewrite our bashrcs (these are company standards). However,
>>> based on the instructions, I do believe I've set the hostname correctly
>>> unless something has changed between RHEL6 and RHEL7).
>>>
>> So this is not going to work, sorry.
>>
>> One way or another, Kerberos requires you to have uniform names, so
>> freeipaserver and freeipaserver.my.sub.domain.com are different names
>> and thus cifs/freeipaserver at REALM and
>> cifs/freeipaserver.my.sub.domain.com at REALM
>> are two different Kerberos principals. FreeIPA KDC does not support
>> aliases.
>>
>> Almost all software using Kerberos is retrieving hostname using
>> gethostname() call which, in turn, uses uname() system call and copies
>> hostname from a nodename element of the returned structure. There is no
>> code that complements nodename with default domain or something, so
>> that output has to be fully qualified or ALL hosts in your deployment
>> would need to non-fully qualified.
>>
>> `hostname` output is essentially giving you what uname() returns in
>> nodename, while `hostname -f` appends default domain to it.
>>
>> Company standards may be important but in this case your bashrc code is
>> clearly based on something that is not really taking Kerberos reality
>> into account.
>> --
>> / Alexander Bokovoy
>>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list