On Wed, 27 Jan 2016, Jon wrote:
Hi Alexander,
Huzzah!
Thanks for explaining how gethostname() works. At least armed with this
information I can make a case to the powers that be why we need to make a
change like this.
So does this mean that all servers should have a fqdn in /etc/hostname or
in the case of RHEL6 setting the HOSTNAME variable in
/etc/sysconfig/network?
All servers should be returning fqdn output in `hostname` run, without
any additional options, e.g. not `hostname -f`.
In case of RHEL 7.x this means use of 'hostnamectl set-hostname f.q.d.n'
which would end up being the name stored in /etc/hostname
In case of RHEL 6.x this means setting HOSTNAME in /etc/sysconfig/network.
Of course, in both cases the first name for the host in /etc/hosts
should also be fqdn because this is the canonical name of the host -- in
case the host's IP address is set in /etc/hosts.
Thanks a ton for your help!
Best Regards,
Jon A
On Wed, Jan 27, 2016 at 3:16 PM, Alexander Bokovoy <[email protected]>
wrote:
On Wed, 27 Jan 2016, Jon wrote:
Hi Alexander,
I've changed the names to anonymize the logs, but have maintained the
structure of the names.
This is how I've got the hostname configured:
[root@freeipaserver ~]# hostname
freeipaserver
[root@freeipaserver ~]# hostname -a
freeipaserver
[root@freeipaserver ~]# hostname -f
freeipaserver.my.sub.domain.com
[root@freeipaserver ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
192.168.1.10 freeipaserver.my.sub.domain.com freeipaserver
[root@freeipaserver ~]# cat /etc/sysconfig/network
DNS1=192.168.10.1
NISDOMAIN=my.sub.domain.com
GATEWAY=192.168.1.1
SEARCH=my.sub.domain.com
DOMAIN=my.sub.domain.com
(NISDOMAIN and DOMAIN were previous attempts to set the domain. I can't
just set /etc/hostname to "freeipaserver" as a bash prompt that says [
[email protected] ~] is unacceptable to our ops teams,
and we can't rewrite our bashrcs (these are company standards). However,
based on the instructions, I do believe I've set the hostname correctly
unless something has changed between RHEL6 and RHEL7).
So this is not going to work, sorry.
One way or another, Kerberos requires you to have uniform names, so
freeipaserver and freeipaserver.my.sub.domain.com are different names
and thus cifs/freeipaserver@REALM and
cifs/freeipaserver.my.sub.domain.com@REALM
are two different Kerberos principals. FreeIPA KDC does not support
aliases.
Almost all software using Kerberos is retrieving hostname using
gethostname() call which, in turn, uses uname() system call and copies
hostname from a nodename element of the returned structure. There is no
code that complements nodename with default domain or something, so
that output has to be fully qualified or ALL hosts in your deployment
would need to non-fully qualified.
`hostname` output is essentially giving you what uname() returns in
nodename, while `hostname -f` appends default domain to it.
Company standards may be important but in this case your bashrc code is
clearly based on something that is not really taking Kerberos reality
into account.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
