[Freeipa-users] dns delegated zone issue

Simo Sorce simo at redhat.com
Fri Dec 9 00:55:20 UTC 2011


On Wed, 2011-12-07 at 23:00 +0100, Natxo Asenjo wrote:
> hi,
> 
> for 'historical' reasons, I have a working dns zone in my lan, say
> example.com. In this zone, I have delegated an ipa.example.com zone
> for ipa.
> 
> I have setup freeipa (homelab, SL 6.1 with version
> ipa-server-2.0.0-23.el6.i686) and it works, I have a server and a
> client (kdc.ipa.example.com and ipaclient01.ipa.example.com).
> 
> >From a laptop (not member of the ipa realm) I kinit to this realm
> 
> 
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: user at IPA.EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 12/07/11 22:24:17  12/08/11 22:24:17  krbtgt/IPA.EXAMPLE.COM at IPA.EXAMPLE.COM
> 	renew until 12/14/11 22:24:17
> 12/07/11 22:24:43  12/08/11 22:24:17
> HTTP/kdc.ipa.example.com.nx at IPA.EXAMPLE.COM
> 	renew until 12/14/11 22:24:17
> 12/07/11 22:27:28  12/08/11 22:24:17
> host/kdc.ipa.example.com.nx at IPA.EXAMPLE.COM
> 	renew until 12/14/11 22:24:17
> 
> As you see, I could go on the web ui and login from ssh.
> 
> When logging in the ipaclient01, I get prompted to enter a password
> and the error is clear when getting verbose output from slogin:
> 
> $ slogin -v user at ipaclient01
> .......
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Server krbtgt/EXAMPLE.COM at IPA.EXAMPLE.COM not found in Kerberos database
> 
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Server krbtgt/EXAMPLE.COM at IPA.EXAMPLE.COM not found in Kerberos database
> 
> If I login using a fqdn instead of the simple one, then it works. The
> funny thing is, I can use the simple dns name to login the kdc server.
> Why?

Not sure why it work on your kdc, perhaps you have entries in /etc/hosts that resolves it first.

> I use both the example.com as the ipa.example.com in the laptop's
> search field in /etc/resolv.conf, by the way.

This is the issue. Your client is trying to use the name
ipaclient01.example.com and seeing it is not in the ipa.example.com your
krb libs are trying to search for a trsuted realm named 'EXAMPLE.COM'
whic does not exist of course.

Using the fqdn there is no ambiguity and therefore your krb libs know
what is the full name an the principal they should look for.

> Another question: why is it not possible to add simple hostnames as a
> service principal?

In theory you could, and turning off canonicalization completely you
would be able to get a ticket. But in general a FQDN name is needed to
connect to another host if you do not have a specific search domain.

A simple host name would be ambiguous, how do you know which ticket to
fetch if you have both www.example.com and www.ipa.example.com and want
to do kerb auth against one or the other server? Clearly the
HTTP/www at IPA.EXAMPLE.COM principal can only be used by one of them while
a FQDN instead makes it pretty unambiguous in all cases.

Also a FQDN is sometimes used because there are historically protocols
where the name of the server is not know directly, but only through a
PTR record which is resolved into a FQDN name.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-users mailing list