Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
On 03/02/2012 10:38 AM, Ondrej Valousek wrote: Ok, we have slipped away a bit. Now I agree with Craig. We should be always using 'hostname --fqdn' instead of just 'hostname'. The sssd parameter Stephen offered (ipa_hostname) seems to me bit misleading. We should probably insist that hostname --fqdn is always correct and valid. Ondrej If ipa-client-install is not detecting this situation I think it is a bug. Simo. Have we opened a bug? Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
On Fri, 2012-03-02 at 05:16 +0300, Craig T wrote: Hi, Server Side: RHEL6.2 ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Client Side Config: Centos 6.2 ipa-client-2.1.3-9.el6.x86_64 ipa-python-2.1.3-9.el6.x86_64 Issue: IPA (via sssd) requires that a hostname (as returned by the `hostname` commmand) be fully qualified. This requirement has caused us no end of grief due to ripple effects not related to IPA, it breaks other software we use which expects hostname to be not fully qualified. We don't understand why IPA sssd require that a machine's hostname be fully qualified when `hostname --fqdn` can be used instead? In our case we had hostname setup to be the machine name as in: # hostname foo # dnsdomainname bar.com.au # hostname --fqdn foo.bar.com.au Why doesn't IPA SSD use the value returned by `hostname --fqdn`? Why must `hostname` itself be fully qualified when `hostname --fqdn` is available? I think this requirement is only in place during ipa-client-install. sssd.conf has an option 'ipa_hostname=foo.bar.com.au' which it will use regardless of the value that 'hostname' returns. Is there some other place I'm missing? If so, that's probably a bug and should be reported as such. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
On Fri, 2012-03-02 at 08:10 -0500, Stephen Gallagher wrote: On Fri, 2012-03-02 at 05:16 +0300, Craig T wrote: Hi, Server Side: RHEL6.2 ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Client Side Config: Centos 6.2 ipa-client-2.1.3-9.el6.x86_64 ipa-python-2.1.3-9.el6.x86_64 Issue: IPA (via sssd) requires that a hostname (as returned by the `hostname` commmand) be fully qualified. This requirement has caused us no end of grief due to ripple effects not related to IPA, it breaks other software we use which expects hostname to be not fully qualified. We don't understand why IPA sssd require that a machine's hostname be fully qualified when `hostname --fqdn` can be used instead? In our case we had hostname setup to be the machine name as in: # hostname foo # dnsdomainname bar.com.au # hostname --fqdn foo.bar.com.au Why doesn't IPA SSD use the value returned by `hostname --fqdn`? Why must `hostname` itself be fully qualified when `hostname --fqdn` is available? I think this requirement is only in place during ipa-client-install. sssd.conf has an option 'ipa_hostname=foo.bar.com.au' which it will use regardless of the value that 'hostname' returns. Is there some other place I'm missing? If so, that's probably a bug and should be reported as such. There are kerberized programs that expect to use gethostname() and use that name to compose principals. If that name is not fully qualified they will break. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
There are kerberized programs that expect to use gethostname() and use that name to compose principals. If that name is not fully qualified they will break. Simo. Normally, you should have both: [root@ara tmp]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 19 host/ara.prague.s3group@dublin.ad.s3group.com 19 host/a...@dublin.ad.s3group.com right? Ondrej Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
On Fri, 2012-03-02 at 15:21 +0100, Ondrej Valousek wrote: There are kerberized programs that expect to use gethostname() and use that name to compose principals. If that name is not fully qualified they will break. Simo. Normally, you should have both: [root@ara tmp]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 19 host/ara.prague.s3group@dublin.ad.s3group.com 19 host/a...@dublin.ad.s3group.com right? No, unless you can alias them in the KDC. Our KDC can technically supports aliases now, but we haven't added these kind of aliases yet to it. And it is a bit controversial on whether we want to. In A windows domain you simply cannot have client residing in a DNA domain that is not the same as the domain controller. This is a pretty hard limitation and we do not want to add it to FreeIPA. Now why does it matter in this case ? It matter because, by forcing a single DNS Domain windows can univocally say a - a.b.c given the b.c part is forced on all clients joined to that domain. This does not hold true for FreeIPA. You could have foo.bar.example.com and foo.rab.example.com ie 2 host with the same short name but in different subdomains. if we alias both foo's and then we try to obtain a ticket for host/foo@REALM then the KDC does not know which foo you refer to. And if we alias only one then the second foo will simply fail to use the shortname. So the solution is to always use fully qualified names, which seem a pretty decent compromise that shouldn't really cause issues in the vast majority of cases. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
No, unless you can alias them in the KDC. Our KDC can technically supports aliases now, but we haven't added these kind of aliases yet to it. And it is a bit controversial on whether we want to. In A windows domain you simply cannot have client residing in a DNA domain that is not the same as the domain controller. This is a pretty hard limitation and we do not want to add it to FreeIPA. Now why does it matter in this case ? It matter because, by forcing a single DNS Domain windows can univocally say a- a.b.c given the b.c part is forced on all clients joined to that domain. This does not hold true for FreeIPA. You could have foo.bar.example.com and foo.rab.example.com ie 2 host with the same short name but in different subdomains. if we alias both foo's and then we try to obtain a ticket for host/foo@REALM then the KDC does not know which foo you refer to. And if we alias only one then the second foo will simply fail to use the shortname. So the solution is to always use fully qualified names, which seem a pretty decent compromise that shouldn't really cause issues in the vast majority of cases. Simo. I understand now, thanks. But still I see 2 limitations in this: 1. I dare to say most people do not care that they CAN join foo.rab.example.com machine to the bar.example.com domain - to me, it is only confusing. In fact, this is a complete new information to me. I still believe we should produce at least a small warning if we find that DNS domain IPA domain. 2. You see problems like this - there is nowhere said that your `hostname` must be FQDN as the OS itself happily accept both. Either case, the ipa-client-install script should be able to detect such a case and offer some solution at least (I have a faint feeling there is even BZ already opened against this). Ondrej Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
On Fri, 2012-03-02 at 16:10 +0100, Ondrej Valousek wrote: No, unless you can alias them in the KDC. Our KDC can technically supports aliases now, but we haven't added these kind of aliases yet to it. And it is a bit controversial on whether we want to. In A windows domain you simply cannot have client residing in a DNA domain that is not the same as the domain controller. This is a pretty hard limitation and we do not want to add it to FreeIPA. Now why does it matter in this case ? It matter because, by forcing a single DNS Domain windows can univocally say a - a.b.c given the b.c part is forced on all clients joined to that domain. This does not hold true for FreeIPA. You could have foo.bar.example.com and foo.rab.example.com ie 2 host with the same short name but in different subdomains. if we alias both foo's and then we try to obtain a ticket for host/foo@REALM then the KDC does not know which foo you refer to. And if we alias only one then the second foo will simply fail to use the shortname. So the solution is to always use fully qualified names, which seem a pretty decent compromise that shouldn't really cause issues in the vast majority of cases. Simo. I understand now, thanks. But still I see 2 limitations in this: 1. I dare to say most people do not care that they CAN join foo.rab.example.com machine to the bar.example.com domain - to me, it is only confusing. In fact, this is a complete new information to me. I still believe we should produce at least a small warning if we find that DNS domain IPA domain. Well if it were a bet you'd lost it :-) We already have multiple users doing exactly that and for good reasons as far as I can tell. 2. You see problems like this - there is nowhere said that your `hostname` must be FQDN as the OS itself happily accept both. Either case, the ipa-client-install script should be able to detect such a case and offer some solution at least (I have a faint feeling there is even BZ already opened against this). If ipa-client-install is not detecting this situation I think it is a bug. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users