[Freeipa-users] dns delegated zone issue

Natxo Asenjo natxo.asenjo at gmail.com
Fri Dec 9 08:44:32 UTC 2011


On Fri, Dec 9, 2011 at 1:55 AM, Simo Sorce <simo at redhat.com> wrote:

>> If I login using a fqdn instead of the simple one, then it works. The
>> funny thing is, I can use the simple dns name to login the kdc server.
>> Why?
>
> Not sure why it work on your kdc, perhaps you have entries in /etc/hosts that resolves it first.

spot on, adding that entry in the ipaclient01 host allows simple name
logins to the the host.

>> I use both the example.com as the ipa.example.com in the laptop's
>> search field in /etc/resolv.conf, by the way.
>
> This is the issue. Your client is trying to use the name
> ipaclient01.example.com and seeing it is not in the ipa.example.com your
> krb libs are trying to search for a trsuted realm named 'EXAMPLE.COM'
> whic does not exist of course.
>
> Using the fqdn there is no ambiguity and therefore your krb libs know
> what is the full name an the principal they should look for.

ok. I guess I have to think about the order I want the clients have
search their default dns domains and realms. I mean, for members of
the ipa realm it appears to make more sense to get the ipa realm dns
as first search option and the parent domain as second search option.

I should also use the kdc dns server as default name server for those
clients and have the example.com as forwareder in the kdc. I changed
the dhcp server range and the kdc name server picked up the change and
modified the A rr for the ipaclient01 (impressive, dyndns without any
configuration of the dchp server), but the example.com ns still had a
cached resolution op the ipaclient01 A rr that pointed to the old
range.

>> Another question: why is it not possible to add simple hostnames as a
>> service principal?
>
> In theory you could, and turning off canonicalization completely you
> would be able to get a ticket. But in general a FQDN name is needed to
> connect to another host if you do not have a specific search domain.
>
> A simple host name would be ambiguous, how do you know which ticket to
> fetch if you have both www.example.com and www.ipa.example.com and want
> to do kerb auth against one or the other server? Clearly the
> HTTP/www at IPA.EXAMPLE.COM principal can only be used by one of them while
> a FQDN instead makes it pretty unambiguous in all cases.
>
> Also a FQDN is sometimes used because there are historically protocols
> where the name of the server is not know directly, but only through a
> PTR record which is resolved into a FQDN name.

Thanks for your explanation. The reason I was asking this is because I
have seen that in AD those simple spn attributes are automatically
added to computers that join the AD domain. So maybe IPA could do the
same if we have explicitely set the ipa dns domain as first search
domain.

I'll look into this later.

Thanks!

-- 
natxo




More information about the Freeipa-users mailing list