Bug 1577649
Summary: | FreeIPA client install sets dns_canonicalize_hostname to false, which breaks service access by unqualified name | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Jackson <mhjacks> |
Component: | freeipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | abokovoy, ipa-maint, jcholast, jhrozek, pvoborni, rcritten, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-07-09 13:56:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Jackson
2018-05-13 18:17:16 UTC
Added in commit 566c86a782bfd7d50938866e9f89faf56cea773f disable hostname canonicalization by Kerberos library By default, Kerberos client library attempts to canonicalize service hostname in TGS requests. This can fail e.g. if hosts file on the client machine references short names before FQDNs. In this case the short name is used in TGS_REQ which KDC fails to resolve. Since we do not (yet) support referencing hosts by their short names it is safe to just disable this behavior in krb5.conf and use supplied FQDNs. https://fedorahosted.org/freeipa/ticket/6584 I see that the behavior is deliberate, but lots of people use short names, especially for SSH. It seems like something broke relatively recently in this. Would it make sense to make this behavior tunable with an installer flag? There is a way to add a snippet in /etc/krb5.conf.d/ to override a default. There is also a support for Kerberos principal aliases in FreeIPA. Both provide enough methods to handle this at a particular deployment. I'm closing this bug as WONTFIX. |