Issue

CustodiaClient attempts to acquire initiator credentials with the hostbased_service nametype. This hits a tricky corner case in Kerberos with respect to canonicalization, and we can easily avoid it. See https://github.com/krb5/krb5/pull/1154 for some more information.

Steps to Reproduce

1. Patch 389ds and freeipa with client keytab fixes.
2. Patch freeipa to set dns_canonicalize_hostname = fallback in its krb5.conf template and augeas logic. (Or patch krb5 to make this the default.)
3. Install a freeipa server.
4. Attempt to install a replica.

Actual behavior

Custodia connection will fail with:

Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia 
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529639107): No credentials cache found
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[root@replica secrets]#

Expected behavior

Ideally, a replica.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.9.0-1.fc34.x86_64
freeipa-client-4.9.0-1.fc34.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-2.0.1-999.fc34.x86_64
pki-ca-10.10.0-2.fc34.noarch
krb5-server-1.19-0.beta2.1.fc34.x86_64

Additional info:

Patch forthcoming.