Hello,
I stumbled upon a problem that I believe to be a bug, but perhaps I am wrong.
Basically what happens is that if I have a line in /etc/hosts: 127.0.1.1 machine1.europe.example.com machine1 then I can only log in from europe.example.com domain.
I reported this as: https://fedorahosted.org/sssd/ticket/1633 but perhaps this is a 'feature'? That sssd resolves the current machine domain and only allows to log in from this domain?
Cheers, Ballock
On Fri, Nov 09, 2012 at 12:57:25PM +0100, ballock wrote:
Hello,
I stumbled upon a problem that I believe to be a bug, but perhaps I am wrong.
Basically what happens is that if I have a line in /etc/hosts: 127.0.1.1 machine1.europe.example.com machine1 then I can only log in from europe.example.com domain.
I reported this as: https://fedorahosted.org/sssd/ticket/1633 but perhaps this is a 'feature'? That sssd resolves the current machine domain and only allows to log in from this domain?
Cheers, Ballock
Hi,
it is a bug, not a feature. Thank you for letting us know about the problem...we just haven't gotten around to fixing it, several issues were filed today.
You mentioned that you would be able to try and reproduce the problem with master, too. Would you mind trying that?
Thank you!
Hello, Jakub,
It seems it was a configuration deficiency. As per https://fedorahosted.org/sssd/ticket/1633#comment:1 seems that explicitly stating which DNS domain to query solves the issue.
I am not sure why it works without the /etc/hosts entry and the configs. I guess it falls back to using the kerberos domain as the DNS suffix if the machine suffix is not available.
Cheers, Ballock
On Fri 09 Nov 2012 06:57:25 AM EST, ballock wrote:
Hello,
I stumbled upon a problem that I believe to be a bug, but perhaps I am wrong.
Basically what happens is that if I have a line in /etc/hosts: 127.0.1.1 machine1.europe.example.com machine1 then I can only log in from europe.example.com domain.
I reported this as: https://fedorahosted.org/sssd/ticket/1633 but perhaps this is a 'feature'? That sssd resolves the current machine domain and only allows to log in from this domain?
I replied in the ticket:
From the SSSD manpage:
{{{ dns_discovery_domain (string) If service discovery is used in the back end, specifies the domain part of the service discovery DNS query.
Default: Use the domain part of machine's hostname }}}
The problem here is that you're relying on SRV records to locate your KDC, but you aren't telling it which DNS domain to use for this location. If it's unspecified, we do a local lookup of the machine's hostname and then use that for the search domain.
Try setting: {{{ [domain/europe.example.com] ... dns_discovery_domain = europe.example.com ...
[domain/asia.example.com] ... dns_discovery_domain = asia.example.com ... }}}
sssd-users@lists.fedorahosted.org
-
Bolesław Tokarski -
Jakub Hrozek -
Stephen Gallagher