I am currently having kerberos difficulties due to the fact that:
hostname returns myhostname
hostname --short returns myhostname
hostname --fqdn returns myshostname
hostname --domain returns
I have read several discussions on this that were posted over the years. I tried the workaround using:
boot.kernel.sysctl."kernel.hostname" = "myhostname.mydomainname";
but that only seems to set it for a small amount of time, whereby it reverts. This may be due to my dhcp server reverting it. I am running a pfsense for a dhcp server. It also does not allow the hostname to contain the domain.
My /etc/hosts correctly lists my host with my domain.
I can join my ipa domain with:
ipa-join -h myhostname.mydomain admin
but kinit -k seems to use hostname --domain
so when my keytab file expires I have to unjoin and rejoin to get another.
(If someone can give me a quicker way to do that until I can fix the domain problem it would be very welcome.)
I have NetworkManager enabled and I have had the problem both with and without services.resolved.enabled. I also seem to continue to have the problem occur when I disable avahi.
I have search line in my /etc/resolv.conf with two domains listed, but even if I remove all but the important one this problem persists. I have no domain line in the file.
The hosts line in my /etc/nsswitch.conf reads:
hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns mdns
Any ideas what could be going on here?
Is there any other information that would help to solve this?
It may be easy to see from my earlier post that this is not an area that I normally work within. kinit -k still doesn’t work on my client systems (it returns no keytab entry for host@) since it can’t find the domain from hostname --domain; but it seems that the FreeIPA server is continually updating the DNS records which (I believe) means that the clients must be enrolled anyway.
Right now I love my Nxos network. It is relatively painless to administrate the 5 NixOS machines compared to the two other Linux boxes I am running. My Proxmox server and my FreeIPA server have weird outages where I have to track down which setting somehow got reverted or was only enacted in a temporary way.
I would still like to give Portunus a try to see if it would be a better fit for my use-case.
Has anyone managed to integrate sssd support with Portunus?
Has anyone managed to get kerberos to work with it as well?
I am still a bit fuzzy on what kerberos is providing to a TLS based LDAP system. I have been trying to read up on all of this.
I do appreciate all of the help. I plan to try to find a way to contribute to Nixos eventually. I am hoping to see just how far I could take a Nixos-only network. (Yes I put NixOS on my wife’s computer too.) I would like to understand the pain points. At the moment, the only time I seem to have difficulties with Nixos is when it seems to do something magical. It seems to “just work” in many cases where other Linux’s struggle and it definitely allows easy control and configuration of otherwise difficult areas of Linux.
At first I was thinking the lack of FreeIPA/IDM was a huge drawback and therefore I added a Rocky Linux to my network for just that. Now I wonder if FreeIPA is too bloated for its own good. In efforts to make it work I have made several changes to it on the command line that don’t seem to be reflected anywhere in the GUI. After all the work, it still seems to only provide user authentication and group membership. I suppose it also provides DNS, but in a network where the DNS is already provided as a part of another service this is a drawback rather than a strength.
I can only imagine that Redhat must have felt that DNS was necessary to provide the kerberos host service credentials. I much rather have my DHCP server manage my DNS, but FreeIPA takes that away from me.
I realize there is a lot here. Any help/answers/questions would be appreciated, even if it is only tell me where I would be most useful helping out. I have been a Software Engineer for more than 25 years and I am very excited about NixOS. I am still struggling a bit with the Nix language and I have a wife and a young daughter, so time is limited; but surely I have something to offer.