Bug 710261

Summary: named won't start if nodename != Kerberos principal hostname
Product: [Fedora] Fedora Reporter: Rob Crittenden <rcritten>
Component: bind-dyndb-ldapAssignee: Adam Tkac <atkac>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: atkac, mkosek, ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-08 11:56:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Use fake_mname as hostname if doing an ldapi bind
none
Updated set hostname patch none

Description Rob Crittenden 2011-06-02 20:41:54 UTC 
Description of problem:

When trying to set up IPA using a hostname different from the system hostname bind fails to start with the error:

Jun  2 16:06:01 panther named[18671]: GSSAPI Error: An invalid name was supplied (Hostname cannot be canonicalized)

In this case the name that cannot be canonicalized in this case is the system hostname (/bin/hostname) which is different from the name being used in the kerberos principal.

The problem is in the ldap bind using ldapi. Because no hostname is passed it uses the current hostname value. The fix is to call ldap_set_option using LDAP_OPT_HOST_NAME before doing any LDAP calls.

Version-Release number of selected component (if applicable):

bind-dyndb-ldap-0.2.0-1.fc14.x86_64
Comment 1 Rob Crittenden 2011-06-02 20:43:30 UTC 
Created attachment 502636 [details]
Use fake_mname as hostname if doing an ldapi bind

I'm not 100% sure that fake_mname is the right value to use here or if we want a separate option (or pull apart the principal to determine the name to use).

This worked in my tests though.
Comment 2 Rob Crittenden 2011-06-02 21:20:35 UTC 
I think I spoke to soon. named starts but buried deep in the logs is:

Jun  2 17:18:47 panther named[25098]: bind to LDAP server failed: Can't contact LDAP server

So the named process is up, just not serving my domain.
Comment 3 Rob Crittenden 2011-06-06 14:52:10 UTC 
It was the trailing dot in fake_mname causing problems. I hardcoded a string as a test and it worked fine. I've yet to figure out the wonky string management in bind to come up with an updated patch.
Comment 4 Rob Crittenden 2011-06-21 14:35:06 UTC 
Created attachment 505842 [details]
Updated set hostname patch

Updated patch to correctly use DNS memory management routines to strip off trailing period from hostname when setting it in LDAP.
Comment 5 Martin Kosek 2011-06-23 09:20:57 UTC 
I can confirm that Rob's patch works fine. I was able to use bind-dyndb-ldap with IPA hostname different from the system hostname.
Comment 6 Adam Tkac 2011-11-08 11:56:49 UTC 
Fixed in upstream:

http://git.fedorahosted.org/git/?p=bind-dyndb-ldap.git;a=commitdiff;h=c6913e6f0bb90253ad141917cb804f74dec070ae