#6829 IPA client and server installer sets incorrect domain->realm mappings
Opened 2 years ago by dkupka. Modified 2 years ago

In situation when host (future client or future server) is not in IPA domain installer add mapping of host's domain to IPA realm. We know nothing about host's domain and should not assume all resources there are enrolled to IPA.

Steps to reproduce:

[ipa-srv.example.org] # ipa-server-install -a Secret123 -p Secret123 -r IPA.EXAMPLE.ORG --domain ipa.example.org -U

Actual content of [domain_realm] section of krb5.conf:

.ipa.example.org = IPA.EXAMPLE.ORG
ipa.example.org = IPA.EXAMPLE.ORG
ipa-srv.example.org = IPA.EXAMPLE.ORG
.example.org = IPA.EXAMPLE.ORG
example.org = IPA.EXAMPLE.ORG

Expected content of [domain_realm] section of krb5.conf:

.ipa.example.org = IPA.EXAMPLE.ORG
ipa.example.org = IPA.EXAMPLE.ORG
ipa-srv.example.org = IPA.EXAMPLE.ORG

Additional info:
client-install code: https://pagure.io/freeipa/blob/8960398a57f69c124ec3105289dc355baa0d5b09/f/ipaclient/install/client.py#_730-735
server-install code: https://pagure.io/freeipa/blob/8960398a57f69c124ec3105289dc355baa0d5b09/f/ipaserver/install/krbinstance.py#_227-239


Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.

Metadata