On Fri, 2012-03-02 at 15:21 +0100, Ondrej Valousek wrote:
> > There are kerberized programs that expect to use gethostname() and use
> > that name to compose principals. If that name is not fully qualified
> > they will break.
> > 
> > Simo.
> > 
> Normally, you should have both:
> [root@ara tmp]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>   19 host/ara.prague.s3group....@dublin.ad.s3group.com
>   19 host/a...@dublin.ad.s3group.com
> right?

No, unless you can alias them in the KDC.
Our KDC can technically supports aliases now, but we haven't added these
kind of aliases yet to it. And it is a bit controversial on whether we
want to.

In A windows domain you simply cannot have client residing in a DNA
domain that is not the same as the domain controller. This is a pretty
hard limitation and we do not want to add it to FreeIPA.

Now why does it matter in this case ?
It matter because, by forcing a single DNS Domain windows can univocally
say a <-> a.b.c given the b.c part is forced on all clients joined to
that domain.
This does not hold true for FreeIPA. You could have foo.bar.example.com
and foo.rab.example.com ie 2 host with the same short name but in
different subdomains. if we alias both foo's and then we try to obtain a
ticket for host/foo@REALM then the KDC does not know which foo you refer
to. And if we alias only one then the second foo will simply fail to use
the shortname.

So the solution is to always use fully qualified names, which seem a
pretty decent compromise that shouldn't really cause issues in the vast
majority of cases.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to