Kerberos is dependent on A records in dns.  The instance (as in
principal/instance@REALM) should match the A record in dns.

There is absolutely no Kerberos dependency on hostnames being fully
qualified.  I have all my devices named with short names and I have no
issues with Kerberos ticketing.

This seems to be an artificial requirement in FreeIPA that is wrong.
On Aug 8, 2014 8:54 AM, "Bruno Henrique Barbosa" <> wrote:

> Hello everyone,
> I'm running through an issue where an application needs its server's
> hostname to be in short name format, such as "server" and not "
>". When I started deploying FreeIPA in the very
> beginning of this year, I remember I couldn't install freeipa-client with a
> bare "ipa-client install", because of this:
> ____________
> [root@server ~]# hostname
> server
> [root@server ~]# hostname -f
> [root@server ~]# ipa-client-install
> Discovery was successful!
> Hostname:
> DNS Domain:
> IPA Server:
> Base DN: dc=example,dc=com
> Continue to configure the system with these values? [no] yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP Server, assuming the time is in sync.
> Please check that port 123 UDP is opened.
> Password for
> Joining realm failed: The hostname must be fully-qualified: server
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> ________________
> So, using the short name as hostname didn't work for install, I then make
> it like "ipa-client install --hostname=`hostname -f` --mkhomedir -N", and
> it installs and works like a charm, BUT it updates the machine's hostname
> to FQDN.
> What I tested and, at first, worked: after deploying and ipa-client
> installation with those parameters which work, renaming the machine back to
> a short name AT FIRST is not causing any problems. I can login with my ssh
> rules perfectly, but I don't find any IPA technical docs saying it
> will/won't work if I change the hostname back to short name and not FQDN.
> Searching for it, I found on RedHat guide: "The hostname of a system is
> critical for the correct operation of Kerberos and SSL. Both of these
> security mechanisms rely on the hostname to ensure that communication is
> occurring between the specified hosts."
> I've also found this message
> which seems to be
> related to my case, but what I need to know is: where does it state FQDN is
> a mandatory requirement in order to FreeIPA to work and/or is there
> anything else (a patch, update, whatever) to solve this issue, so I don't
> need to change my applications?
> Thank you and sorry for the wall of a text.
> PS: Enviroment is CentOS 6.5, in both IPA server and client. DNS is not
> the same server as IPA (it forwards to a Windows DC).
> RPMs:
> libipa_hbac-1.9.2-129.el6_5.4.x86_64
> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-admintools-3.0.0-37.el6.x86_64
> ipa-server-selinux-3.0.0-37.el6.x86_64
> ipa-server-3.0.0-37.el6.x86_64
> ipa-python-3.0.0-37.el6.x86_64
> ipa-client-3.0.0-37.el6.x86_64
> --
> Manage your subscription for the Freeipa-users mailing list:
> Go To for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to