[Freeipa-users] Re: conflicting hostname requirement from SAP

Thu, 11 Oct 2018 23:57:56 -0700 

On to, 11 loka 2018, Dan Haskell via FreeIPA-users wrote:

On 10/10/18 5:03 PM, Dan Haskell via FreeIPA-users wrote:

On 10/10/18 4:10 PM, John Keates wrote:

I’d say: don’t run FreeIPA server on the same install as the SAP server.



So, the fqdn requirement doesn't apply to the client? Awesome. Thank 
you very much.


Dan
[snip]



According to the link below, clients *have* to use FQDN. Not just IPA 
servers.


https://www.digitalocean.com/community/tutorials/how-to-configure-a-freeipa-client-on-centos-7

So, anyone know a way around this?

Let us step aside and state the problem first.
You want:
- to enroll a machine to IPA realm and use SSSD to provide services on
  it?
- to run SAP server on the machine you just enrolled?

The second part requires that SAP server sees a hostname as a
non-qualified one, correct?

If those are two starting points, you can do the following on RHEL 7.5
or similar system (all I care here is a contemporary SSSD and other
tools, with expected configuration paths).

1. Enroll machine into IPA realm

Use fqdn here, as required, but after enrollment is completed, change
SSSD configuration by adding

[domain/example.com]
# the client's FQDN
ipa_hostname = fqdn.example.com

2. Change your hostname back to non-fqdn.
hostnamectl set-hostname non-fqdn

With these changes at least SSSD will be able to perform its duties.

There are practical issues with this approach which I have not verified
yet. For example, SUDO may choke on fqdn versus non-fqdn difference in
its rules. For HBAC rules this shouldn't be a problem because the check
is done by SSSD and we forced SSSD to use fqdn.example.com

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to