Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?

2012-03-03 Thread Dmitri Pal
On 03/02/2012 10:38 AM, Ondrej Valousek wrote:
 Ok, we have slipped away a bit. Now I agree with Craig.
 We should be always using 'hostname --fqdn' instead of just 'hostname'.

 The sssd parameter Stephen offered (ipa_hostname) seems to me bit
 misleading. We should probably insist that hostname --fqdn is always
 correct and valid.
 Ondrej

 If ipa-client-install is not detecting this situation I think it is a
 bug.

 Simo.


Have we opened a bug?


 
 Proud winners of the prestigious Irish Software Exporter Award 2011
 from Irish Exporters Association (IEA). Please, refer to our web site
 for more details regarding the award.
 
 The information contained in this e-mail and in any attachments is
 confidential and is designated solely for the attention of the
 intended recipient(s). If you are not an intended recipient, you must
 not use, disclose, copy, distribute or retain this e-mail or any part
 thereof. If you have received this e-mail in error, please notify the
 sender by return e-mail and delete all copies of this e-mail from your
 computer system(s). Please direct any additional queries to:
 communicati...@s3group.com. Thank You. Silicon and Software Systems
 Limited. Registered in Ireland no. 378073. Registered Office: South
 County Business Park, Leopardstown, Dublin 18
 


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?

2012-03-02 Thread Stephen Gallagher
On Fri, 2012-03-02 at 05:16 +0300, Craig T wrote:
 Hi,
 
 Server Side:
 RHEL6.2
 ipa-admintools-2.1.3-9.el6.x86_64
 ipa-client-2.1.3-9.el6.x86_64
 ipa-pki-ca-theme-9.0.3-7.el6.noarch
 ipa-pki-common-theme-9.0.3-7.el6.noarch
 ipa-python-2.1.3-9.el6.x86_64
 ipa-server-2.1.3-9.el6.x86_64
 ipa-server-selinux-2.1.3-9.el6.x86_64
 
 
 Client Side Config:
 Centos 6.2
 ipa-client-2.1.3-9.el6.x86_64
 ipa-python-2.1.3-9.el6.x86_64
 
 
 Issue:
 IPA (via sssd) requires that a hostname (as returned by the `hostname`
 commmand) be fully qualified.
 
 This requirement has caused us no end of grief due to ripple effects not
 related to IPA, it breaks other software we use which expects hostname
 to be not fully qualified.
 
 We don't understand why IPA  sssd require that a machine's hostname be
 fully qualified when `hostname --fqdn` can be used instead?
 
 In our case we had hostname setup to be the machine name as in:
 
 # hostname
 foo
 # dnsdomainname
 bar.com.au
 # hostname --fqdn
 foo.bar.com.au
 
 Why doesn't IPA  SSD use the value returned by `hostname --fqdn`?
 
 Why must `hostname` itself be fully qualified when `hostname --fqdn` is
 available?

I think this requirement is only in place during ipa-client-install.
sssd.conf has an option 'ipa_hostname=foo.bar.com.au' which it will use
regardless of the value that 'hostname' returns.

Is there some other place I'm missing? If so, that's probably a bug and
should be reported as such.


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?

2012-03-02 Thread Simo Sorce
On Fri, 2012-03-02 at 08:10 -0500, Stephen Gallagher wrote:
 On Fri, 2012-03-02 at 05:16 +0300, Craig T wrote:
  Hi,
  
  Server Side:
  RHEL6.2
  ipa-admintools-2.1.3-9.el6.x86_64
  ipa-client-2.1.3-9.el6.x86_64
  ipa-pki-ca-theme-9.0.3-7.el6.noarch
  ipa-pki-common-theme-9.0.3-7.el6.noarch
  ipa-python-2.1.3-9.el6.x86_64
  ipa-server-2.1.3-9.el6.x86_64
  ipa-server-selinux-2.1.3-9.el6.x86_64
  
  
  Client Side Config:
  Centos 6.2
  ipa-client-2.1.3-9.el6.x86_64
  ipa-python-2.1.3-9.el6.x86_64
  
  
  Issue:
  IPA (via sssd) requires that a hostname (as returned by the `hostname`
  commmand) be fully qualified.
  
  This requirement has caused us no end of grief due to ripple effects not
  related to IPA, it breaks other software we use which expects hostname
  to be not fully qualified.
  
  We don't understand why IPA  sssd require that a machine's hostname be
  fully qualified when `hostname --fqdn` can be used instead?
  
  In our case we had hostname setup to be the machine name as in:
  
  # hostname
  foo
  # dnsdomainname
  bar.com.au
  # hostname --fqdn
  foo.bar.com.au
  
  Why doesn't IPA  SSD use the value returned by `hostname --fqdn`?
  
  Why must `hostname` itself be fully qualified when `hostname --fqdn` is
  available?
 
 I think this requirement is only in place during ipa-client-install.
 sssd.conf has an option 'ipa_hostname=foo.bar.com.au' which it will use
 regardless of the value that 'hostname' returns.
 
 Is there some other place I'm missing? If so, that's probably a bug and
 should be reported as such.

There are kerberized programs that expect to use gethostname() and use
that name to compose principals. If that name is not fully qualified
they will break.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?

2012-03-02 Thread Ondrej Valousek



There are kerberized programs that expect to use gethostname() and use
that name to compose principals. If that name is not fully qualified
they will break.

Simo.


Normally, you should have both:

[root@ara tmp]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
  19 host/ara.prague.s3group@dublin.ad.s3group.com
  19 host/a...@dublin.ad.s3group.com

right?

Ondrej


Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish 
Exporters Association (IEA).  Please, refer to our web site for more details 
regarding the award.

The information contained in this e-mail and in any attachments is confidential 
and is designated solely for the attention of the intended recipient(s). If you 
are not an intended recipient, you must not use, disclose, copy, distribute or 
retain this e-mail or any part thereof. If you have received this e-mail in 
error, please notify the sender by return e-mail and delete all copies of this 
e-mail from your computer system(s).
Please direct any additional queries to: communicati...@s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?

2012-03-02 Thread Simo Sorce
On Fri, 2012-03-02 at 15:21 +0100, Ondrej Valousek wrote:
 
  There are kerberized programs that expect to use gethostname() and use
  that name to compose principals. If that name is not fully qualified
  they will break.
  
  Simo.
  
 Normally, you should have both:
 
 [root@ara tmp]# klist -k
 Keytab name: FILE:/etc/krb5.keytab
 KVNO Principal
 
 --
   19 host/ara.prague.s3group@dublin.ad.s3group.com
   19 host/a...@dublin.ad.s3group.com
 
 right?

No, unless you can alias them in the KDC.
Our KDC can technically supports aliases now, but we haven't added these
kind of aliases yet to it. And it is a bit controversial on whether we
want to.

In A windows domain you simply cannot have client residing in a DNA
domain that is not the same as the domain controller. This is a pretty
hard limitation and we do not want to add it to FreeIPA.

Now why does it matter in this case ?
It matter because, by forcing a single DNS Domain windows can univocally
say a - a.b.c given the b.c part is forced on all clients joined to
that domain.
This does not hold true for FreeIPA. You could have foo.bar.example.com
and foo.rab.example.com ie 2 host with the same short name but in
different subdomains. if we alias both foo's and then we try to obtain a
ticket for host/foo@REALM then the KDC does not know which foo you refer
to. And if we alias only one then the second foo will simply fail to use
the shortname.

So the solution is to always use fully qualified names, which seem a
pretty decent compromise that shouldn't really cause issues in the vast
majority of cases.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?

2012-03-02 Thread Ondrej Valousek



No, unless you can alias them in the KDC.
Our KDC can technically supports aliases now, but we haven't added these
kind of aliases yet to it. And it is a bit controversial on whether we
want to.

In A windows domain you simply cannot have client residing in a DNA
domain that is not the same as the domain controller. This is a pretty
hard limitation and we do not want to add it to FreeIPA.

Now why does it matter in this case ?
It matter because, by forcing a single DNS Domain windows can univocally
say a-  a.b.c given the b.c part is forced on all clients joined to
that domain.
This does not hold true for FreeIPA. You could have foo.bar.example.com
and foo.rab.example.com ie 2 host with the same short name but in
different subdomains. if we alias both foo's and then we try to obtain a
ticket for host/foo@REALM then the KDC does not know which foo you refer
to. And if we alias only one then the second foo will simply fail to use
the shortname.

So the solution is to always use fully qualified names, which seem a
pretty decent compromise that shouldn't really cause issues in the vast
majority of cases.

Simo.


I understand now, thanks. But still I see 2 limitations in this:
1. I dare to say most people do not care that they CAN join foo.rab.example.com machine to the bar.example.com domain - to me, it is only 
confusing. In fact, this is a complete new information to me. I still believe we should produce at least a small warning if we find that DNS 
domain  IPA domain.

2. You see problems like this - there is nowhere said that your `hostname` must 
be FQDN as the OS itself happily accept both.

Either case, the ipa-client-install script should be able to detect such a case and offer some solution at least (I have a faint feeling 
there is even BZ already opened against this).


Ondrej


Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish 
Exporters Association (IEA).  Please, refer to our web site for more details 
regarding the award.

The information contained in this e-mail and in any attachments is confidential 
and is designated solely for the attention of the intended recipient(s). If you 
are not an intended recipient, you must not use, disclose, copy, distribute or 
retain this e-mail or any part thereof. If you have received this e-mail in 
error, please notify the sender by return e-mail and delete all copies of this 
e-mail from your computer system(s).
Please direct any additional queries to: communicati...@s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?

2012-03-02 Thread Simo Sorce
On Fri, 2012-03-02 at 16:10 +0100, Ondrej Valousek wrote:
 
  No, unless you can alias them in the KDC.
  Our KDC can technically supports aliases now, but we haven't added these
  kind of aliases yet to it. And it is a bit controversial on whether we
  want to.
  
  In A windows domain you simply cannot have client residing in a DNA
  domain that is not the same as the domain controller. This is a pretty
  hard limitation and we do not want to add it to FreeIPA.
  
  Now why does it matter in this case ?
  It matter because, by forcing a single DNS Domain windows can univocally
  say a - a.b.c given the b.c part is forced on all clients joined to
  that domain.
  This does not hold true for FreeIPA. You could have foo.bar.example.com
  and foo.rab.example.com ie 2 host with the same short name but in
  different subdomains. if we alias both foo's and then we try to obtain a
  ticket for host/foo@REALM then the KDC does not know which foo you refer
  to. And if we alias only one then the second foo will simply fail to use
  the shortname.
  
  So the solution is to always use fully qualified names, which seem a
  pretty decent compromise that shouldn't really cause issues in the vast
  majority of cases.
  
  Simo.
  
 I understand now, thanks. But still I see 2 limitations in this:
 1. I dare to say most people do not care that they CAN join
 foo.rab.example.com machine to the bar.example.com domain - to me, it
 is only confusing. In fact, this is a complete new information to me.
 I still believe we should produce at least a small warning if we find
 that DNS domain  IPA domain.

Well if it were a bet you'd lost it :-)
We already have multiple users doing exactly that and for good reasons
as far as I can tell.

 2. You see problems like this - there is nowhere said that your
 `hostname` must be FQDN as the OS itself happily accept both.

 Either case, the ipa-client-install script should be able to detect
 such a case and offer some solution at least (I have a faint feeling
 there is even BZ already opened against this).

If ipa-client-install is not detecting this situation I think it is a
bug.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users