Arent all of those lookups done in dns? Wouldnt that mean hostnames being
fqdn's is irrelevant?
On Aug 8, 2014 12:11 PM, "Rich Megginson" <rmegg...@redhat.com> wrote:
> On 08/08/2014 08:57 AM, brendan kearney wrote:
> Kerberos is dependent on A records in dns. The instance (as in
> principal/instance@REALM) should match the A record in dns.
> There is absolutely no Kerberos dependency on hostnames being fully
> qualified. I have all my devices named with short names and I have no
> issues with Kerberos ticketing.
> This seems to be an artificial requirement in FreeIPA that is wrong.
> The other hostname requirement is for TLS/SSL, for MITM checking. By
> default, when an SSL server cert is issued, the subject DN contains cn=fqdn
> as the leftmost component. clients use this fqdn to verify the server.
> That is, client knows the IP address of the server - client does a reverse
> lookup (i.e. PTR) to see if the server returned by that lookup matches the
> cn=fqdn in the server cert. This requires reverse lookups are configured
> and that the fqdn is the first name/alias returned.
> On Aug 8, 2014 8:54 AM, "Bruno Henrique Barbosa" <
> bruno-barb...@prodesan.com.br> wrote:
>> Hello everyone,
>> I'm running through an issue where an application needs its server's
>> hostname to be in short name format, such as "server" and not "
>> server.example.com". When I started deploying FreeIPA in the very
>> beginning of this year, I remember I couldn't install freeipa-client with a
>> bare "ipa-client install", because of this:
>> [root@server ~]# hostname
>> [root@server ~]# hostname -f
>> [root@server ~]# ipa-client-install
>> Discovery was successful!
>> Hostname: server.example.com
>> Realm: EXAMPLE.COM
>> DNS Domain: example.com
>> IPA Server: ipa01.example.com
>> Base DN: dc=example,dc=com
>> Continue to configure the system with these values? [no] yes
>> User authorized to enroll computers: admin
>> Synchronizing time with KDC...
>> Unable to sync time with IPA NTP Server, assuming the time is in sync.
>> Please check that port 123 UDP is opened.
>> Password for ad...@example.com:
>> Joining realm failed: The hostname must be fully-qualified: server
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>> So, using the short name as hostname didn't work for install, I then make
>> it like "ipa-client install --hostname=`hostname -f` --mkhomedir -N", and
>> it installs and works like a charm, BUT it updates the machine's hostname
>> to FQDN.
>> What I tested and, at first, worked: after deploying and ipa-client
>> installation with those parameters which work, renaming the machine back to
>> a short name AT FIRST is not causing any problems. I can login with my ssh
>> rules perfectly, but I don't find any IPA technical docs saying it
>> will/won't work if I change the hostname back to short name and not FQDN.
>> Searching for it, I found on RedHat guide: "The hostname of a system is
>> critical for the correct operation of Kerberos and SSL. Both of these
>> security mechanisms rely on the hostname to ensure that communication is
>> occurring between the specified hosts."
>> I've also found this message
>> http://osdir.com/ml/freeipa-users/2012-03/msg00006.html which seems to
>> be related to my case, but what I need to know is: where does it state FQDN
>> is a mandatory requirement in order to FreeIPA to work and/or is there
>> anything else (a patch, update, whatever) to solve this issue, so I don't
>> need to change my applications?
>> Thank you and sorry for the wall of a text.
>> PS: Enviroment is CentOS 6.5, in both IPA server and client. DNS is not
>> the same server as IPA (it forwards to a Windows DC).
>> Manage your subscription for the Freeipa-users mailing list:
>> Go To http://freeipa.org for more info on the project
> Manage your subscription for the Freeipa-users mailing list:
> Go To http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project