Hi Alexander, Huzzah!
Thanks for explaining how gethostname() works. At least armed with this information I can make a case to the powers that be why we need to make a change like this. So does this mean that all servers should have a fqdn in /etc/hostname or in the case of RHEL6 setting the HOSTNAME variable in /etc/sysconfig/network? Thanks a ton for your help! Best Regards, Jon A On Wed, Jan 27, 2016 at 3:16 PM, Alexander Bokovoy <[email protected]> wrote: > On Wed, 27 Jan 2016, Jon wrote: > >> Hi Alexander, >> >> I've changed the names to anonymize the logs, but have maintained the >> structure of the names. >> >> This is how I've got the hostname configured: >> >> [root@freeipaserver ~]# hostname >>>> freeipaserver >>>> [root@freeipaserver ~]# hostname -a >>>> freeipaserver >>>> [root@freeipaserver ~]# hostname -f >>>> freeipaserver.my.sub.domain.com >>>> [root@freeipaserver ~]# cat /etc/hosts >>>> 127.0.0.1 localhost localhost.localdomain localhost4 >>>> >>> localhost4.localdomain4 >> >>> ::1 localhost localhost.localdomain localhost6 >>>> >>> localhost6.localdomain6 >> >>> >>>> 192.168.1.10 freeipaserver.my.sub.domain.com freeipaserver >>>> >>>> [root@freeipaserver ~]# cat /etc/sysconfig/network >>>> DNS1=192.168.10.1 >>>> NISDOMAIN=my.sub.domain.com >>>> GATEWAY=192.168.1.1 >>>> SEARCH=my.sub.domain.com >>>> DOMAIN=my.sub.domain.com >>>> >>> >> (NISDOMAIN and DOMAIN were previous attempts to set the domain. I can't >> just set /etc/hostname to "freeipaserver" as a bash prompt that says [ >> [email protected] ~] is unacceptable to our ops teams, >> and we can't rewrite our bashrcs (these are company standards). However, >> based on the instructions, I do believe I've set the hostname correctly >> unless something has changed between RHEL6 and RHEL7). >> > So this is not going to work, sorry. > > One way or another, Kerberos requires you to have uniform names, so > freeipaserver and freeipaserver.my.sub.domain.com are different names > and thus cifs/freeipaserver@REALM and > cifs/freeipaserver.my.sub.domain.com@REALM > are two different Kerberos principals. FreeIPA KDC does not support > aliases. > > Almost all software using Kerberos is retrieving hostname using > gethostname() call which, in turn, uses uname() system call and copies > hostname from a nodename element of the returned structure. There is no > code that complements nodename with default domain or something, so > that output has to be fully qualified or ALL hosts in your deployment > would need to non-fully qualified. > > `hostname` output is essentially giving you what uname() returns in > nodename, while `hostname -f` appends default domain to it. > > Company standards may be important but in this case your bashrc code is > clearly based on something that is not really taking Kerberos reality > into account. > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
