Bug 433483 - Check FQDNs in ipa-addservice
Check FQDNs in ipa-addservice
Product: freeIPA
Classification: Community
Component: ipa-admintools (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
Depends On:
Blocks: 429034
  Show dependency treegraph
Reported: 2008-02-19 11:15 EST by Simo Sorce
Modified: 2015-01-04 18:30 EST (History)
1 user (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-27 03:12:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Require DNS A record for service principals (6.58 KB, patch)
2008-02-26 13:54 EST, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Simo Sorce 2008-02-19 11:15:36 EST
Currently ipa-addservice will just happily create a service without checking
that the FQDN is a valid A name in DNS.
A host FQDN should always be an A name as kerberos libraries will resolve any
CNAME into an A name before asking a ticket from the KDC.

ipa-addservice should at least warn if it can't find an A name corresponding to
the FQDN part of the service principal we are about to create.
Comment 1 Rob Crittenden 2008-02-26 13:54:14 EST
Created attachment 295981 [details]
Require DNS A record for service principals

David, I've added a new option to ipa-addservice: --force

This will force a principal to created that is not an A record.
Comment 2 Rob Crittenden 2008-02-26 16:01:42 EST
pushed in changeset 690
Comment 4 Yi Zhang 2008-05-22 14:16:43 EDT
QA Verified on May 22, 2008 (Yi)

Build used: May 22, 2008 (x64)

tests have been done:

server64[05/22/24 10:41] ipa-addservice host/ipaclient.example.com@EXAMPLE.COM
The requested hostname is not a DNS A record. This is required by Kerberos.
server64[05/22/24 10:45] ipa-addservice host/ipaclient.ipaqa.com@IPAQA.COM
server64[05/22/24 10:49] ipa-addservice host/ipa.ipaqa.com@IPAQA.COM
The requested hostname is not a DNS A record. This is required by Kerberos.

Note You need to log in before you can comment on or make changes to this bug.