freeipa

Clone
Source Code
GIT

#6039 Do not use DNS discovery for single-component realm in ipa-client-install
Opened 8 years ago by pvoborni. Modified 8 years ago

Open
Close issue as:
fixed wontfix worksforme duplicate insufficientinfo invalid

Issue:

With single component realm, e.g., TEST and working DNS discovery for test.local, final generated krb5.conf in ipa-client-install looks like:

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = TEST
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  TEST = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .test.local = TEST
  test.local = TEST

With this setup, ipa-client-install fails with:

ERROR Cannot connect to the IPA server RPC interface: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Cannot find KDC for realm "TEST"', -1765328230)

The cause is that libkrb5 search for: _kerberos._udp.TEST and _kerberos-master._udp.TEST which doesn't exist and also probably won't.

Expected result:

  • ipa-client-install should add kdc line to krb5.conf and warn that kdc DNS discovery will not be used.

Note: there are also discussions to disable support of installing IPA with different domain and realm which might make this issue invalid.

Or rather if the single component domain exists and has appropriate DNS records then proceed otherwise be loud.

See also #6049

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
8 years ago

Log in to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Client
None
0
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.