I am implementing SSO with FreeIPA and Proxmox LXC containers. I've encountered numerous errors while trying to setup kerberos5 keytab. Problem seems to be default hostname resolution in /etc/hosts
Specifically this part:
Which fails to correctly canonicalize hostname, and possibly reverse dns records.
So my question is: how do I prevent/disable that proxmox feature?
This is my documented and apparent cause, may be helpful for someone like myself.
What I'm trying to do:
Error I got at first
So that can be solved by adding static mapping to [domain_realm] part of /etc/sssd/sssd.conf
which for me looks like:
Then I got yet another error:
Which was caused by failed canonicalization, since we resolved host with /etc/hosts.
So I solved that by removing hosts entry, and it worked flawlessly. But here is problem, each time container is restarted those entries are put back again.
Specifically this part:
Code:
# --- BEGIN PVE ---
127.0.1.1 sssd-testing
# --- END PVE ---Which fails to correctly canonicalize hostname, and possibly reverse dns records.
So my question is: how do I prevent/disable that proxmox feature?
This is my documented and apparent cause, may be helpful for someone like myself.
What I'm trying to do:
Code:
kinit -kt /etc/krb5.keytabError I got at first
Code:
kinit: Cannot determine realm for host (principal host/sssd-testing@)So that can be solved by adding static mapping to [domain_realm] part of /etc/sssd/sssd.conf
which for me looks like:
Code:
[domain_realm]
...
sssd-testing = MY_REDACTED_REALMThen I got yet another error:
Code:
kinit: Keytab contains no suitable keys for host/sssd-testing@MY_REDACTED_REALM while getting initial credentialsWhich was caused by failed canonicalization, since we resolved host with /etc/hosts.
So I solved that by removing hosts entry, and it worked flawlessly. But here is problem, each time container is restarted those entries are put back again.
