On to, 11 loka 2018, Dan Haskell via FreeIPA-users wrote:
On 10/10/18 5:03 PM, Dan Haskell via FreeIPA-users wrote:
>On 10/10/18 4:10 PM, John Keates wrote:
>>I’d say: don’t run FreeIPA server on the same install as the SAP server.
>
>So, the fqdn requirement doesn't apply to the client? Awesome. Thank
>you very much.
>
>Dan
>[snip]
According to the link below, clients *have* to use FQDN. Not just IPA
servers.
https://www.digitalocean.com/community/tutorials/how-to-configure-a-freei...
So, anyone know a way around this?
Let us step aside and state the problem first.
You want:
- to enroll a machine to IPA realm and use SSSD to provide services on
it?
- to run SAP server on the machine you just enrolled?
The second part requires that SAP server sees a hostname as a
non-qualified one, correct?
If those are two starting points, you can do the following on RHEL 7.5
or similar system (all I care here is a contemporary SSSD and other
tools, with expected configuration paths).
1. Enroll machine into IPA realm
Use fqdn here, as required, but after enrollment is completed, change
SSSD configuration by adding
[
domain/example.com]
# the client's FQDN
ipa_hostname =
fqdn.example.com
2. Change your hostname back to non-fqdn.
hostnamectl set-hostname non-fqdn
With these changes at least SSSD will be able to perform its duties.
There are practical issues with this approach which I have not verified
yet. For example, SUDO may choke on fqdn versus non-fqdn difference in
its rules. For HBAC rules this shouldn't be a problem because the check
is done by SSSD and we forced SSSD to use
fqdn.example.com
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland