From 566c86a782bfd7d50938866e9f89faf56cea773f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Jan 11 2017 15:18:24 +0000
Subject: disable hostname canonicalization by Kerberos library


By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.

Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.

https://fedorahosted.org/freeipa/ticket/6584

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>

---

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 2ff6122..08576eb 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -676,6 +676,7 @@ def configure_krb5_conf(
         ])
     libopts.extend([
         krbconf.setOption('rdns', 'false'),
+        krbconf.setOption('dns_canonicalize_hostname', 'false'),
         krbconf.setOption('ticket_lifetime', '24h'),
         krbconf.setOption('forwardable', 'true'),
         krbconf.setOption('udp_preference_limit', '0')