On Fri, 08 Aug 2014, Bruno Henrique Barbosa wrote:
I'm running through an issue where an application needs its server's
hostname to be in short name format, such as "server" and not
"server.example.com". When I started deploying FreeIPA in the very
beginning of this year, I remember I couldn't install freeipa-client
with a bare "ipa-client install", because of this:
[root@server ~] # hostname
[root@server ~]# hostname -f
[root@server ~]# ipa-client-install
Discovery was successful!
DNS Domain: example.com
IPA Server: ipa01.example.com
Base DN: dc=example,dc=com
Continue to configure the system with these values? [no] yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP Server, assuming the time is in sync. Please
check that port 123 UDP is opened.
Password for ad...@example.com:
Joining realm failed: The hostname must be fully-qualified: server
Installation failed. Rolling back changes.
IPA client is not configured on this system.
So, using the short name as hostname didn't work for install, I then
make it like "ipa-client install --hostname=`hostname -f` --mkhomedir
-N", and it installs and works like a charm, BUT it updates the
machine's hostname to FQDN.
What I tested and, at first, worked: after deploying and ipa-client
installation with those parameters which work, renaming the machine
back to a short name AT FIRST is not causing any problems. I can login
with my ssh rules perfectly, but I don't find any IPA technical docs
saying it will/won't work if I change the hostname back to short name
and not FQDN.
Searching for it, I found on RedHat guide: "The hostname of a system is
critical for the correct operation of Kerberos and SSL. Both of these
security mechanisms rely on the hostname to ensure that communication
is occurring between the specified hosts."
I've also found this message
http://osdir.com/ml/freeipa-users/2012-03/msg00006.html which seems to
be related to my case, but what I need to know is: where does it state
FQDN is a mandatory requirement in order to FreeIPA to work and/or is
there anything else (a patch, update, whatever) to solve this issue, so
I don't need to change my applications?
The requirement comes from Kerberos where a principal for a host-based
service has two components, a service name and a hostname. FreeIPA does
not have user-friendly means to associate additional hostname components
with the same service principal which means ldap/ser...@example.com and
ldap/server.example....@example.com will be two different kerberos
principals, corresponding to two different services, each with its own
set of keys. Many applications are not prepared into trying multiple
keys from a keytab and only look for the name that is "canonical" for
the host, via getaddrinfo() call.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project