URL: https://github.com/freeipa/freeipa/pull/381 Author: martbab Title: #381: disable hostname canonicalization by Kerberos library Action: opened
PR body: """ By default, Kerberos client library attempts to canonicalize service hostname in TGS requests. This can fail e.g. if hosts file on the client machine references short names before FQDNs. In this case the short name is used in TGS_REQ which KDC fails to resolve. Since we do not (yet) support referencing hosts by their short names it is safe to just disable this behavior in krb5.conf and use supplied FQDNs. https://fedorahosted.org/freeipa/ticket/6584 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/381/head:pr381 git checkout pr381
From be97823a0475218306bce192d7bf5797a1663857 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Mon, 9 Jan 2017 14:36:33 +0100 Subject: [PATCH] disable hostname canonicalization by Kerberos library By default, Kerberos client library attempts to canonicalize service hostname in TGS requests. This can fail e.g. if hosts file on the client machine references short names before FQDNs. In this case the short name is used in TGS_REQ which KDC fails to resolve. Since we do not (yet) support referencing hosts by their short names it is safe to just disable this behavior in krb5.conf and use supplied FQDNs. https://fedorahosted.org/freeipa/ticket/6584 --- ipaclient/install/client.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 2ff6122..08576eb 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -676,6 +676,7 @@ def configure_krb5_conf( ]) libopts.extend([ krbconf.setOption('rdns', 'false'), + krbconf.setOption('dns_canonicalize_hostname', 'false'), krbconf.setOption('ticket_lifetime', '24h'), krbconf.setOption('forwardable', 'true'), krbconf.setOption('udp_preference_limit', '0')
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code