diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2017-01-09 14:36:33 +0100 |
|---|---|---|
| committer | Martin Babinsky <mbabinsk@redhat.com> | 2017-01-11 16:18:24 +0100 |
| commit | 566c86a782bfd7d50938866e9f89faf56cea773f (patch) | |
| tree | e9244b9a21f675af6fb8eec2992d06193089dcbc /ipaclient | |
| parent | 0c95a00147b1dd508736dacc847873ddddafb504 (diff) | |
| download | freeipa-566c86a782bfd7d50938866e9f89faf56cea773f.tar.gz freeipa-566c86a782bfd7d50938866e9f89faf56cea773f.tar.xz freeipa-566c86a782bfd7d50938866e9f89faf56cea773f.zip | |
disable hostname canonicalization by Kerberos library
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.
Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.
https://fedorahosted.org/freeipa/ticket/6584
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'ipaclient')
| -rw-r--r-- | ipaclient/install/client.py | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 2ff612280..08576ebc6 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -676,6 +676,7 @@ def configure_krb5_conf( ]) libopts.extend([ krbconf.setOption('rdns', 'false'), + krbconf.setOption('dns_canonicalize_hostname', 'false'), krbconf.setOption('ticket_lifetime', '24h'), krbconf.setOption('forwardable', 'true'), krbconf.setOption('udp_preference_limit', '0') |