[Freeipa-users] [freeipa-users] How to manage Linux attributes for AD users (e.g. how do I set a shell for an AD User)
Hello, How does one manage linux attributes for AD users. Primarily in my case, I'm looking to change the default shell to either Bash or KSH depending on the user. I can create a .profile that either sources bash or ksh rcs... e.g.: >> $ cat ~/.profile >> bash ./.bashrc This is really less than ideal and just seems like the wrong way to do it, especially considering we have a tool like FreeIPA. According to Microsoft <http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx>, they are no longer supporting Identity Management for Unix. Does FreeIPA honor the attributes set by IDMU? Even if it's deprecated, I suppose we could continue to use it... This previous FreeIPA thread <https://www.redhat.com/archives/freeipa-users/2013-April/msg7.html> seems to indicate you can force the shell for anyone in the domain logging into that machine, but we have some users who prefer one shell over the other. I did what I believe to be standard, I created a security group in AD, added that group to a group an external group in FreeIPA, then made an internal group and added the external group as a member to the internal group. Unfortunately, this doesn't seem to expose any of the AD attributes for management. Or maybe I'm just misunderstanding... Any thoughts? How are you managing individual AD user settings? Thanks, Jon A -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients
Hello,
How do I configure automount for Ubuntu 14.04 clients? My procedure on
CentOS has been: install free-ipa client, run ipa-client-install (auto
configures with dns discovery), run ipa-client-automount. However, when I
run this on the ubuntu client, I receive the following errors:
>> root@ubuntu-1404-x8664:~# ipa-client-automount -U
>> Searching for IPA server...
>> IPA server: DNS discovery
>> Location: default
>> Configured /etc/nsswitch.conf
>> Configured /etc/default/nfs-common
>> Configured /etc/idmapd.conf
>> rpcidmapd failed to restart: Command '/usr/sbin/service rpcidmapd
restart ' returned non-zero exit status 1
>> rpcgssd failed to restart: Command '/usr/sbin/service rpcgssd restart '
returned non-zero exit status 1
As these are not the names of these services on Ubuntu, this will never
work.
>> root@ubuntu-1404-x8664:~# service idmapd restart
>> idmapd stop/waiting
>> idmapd start/running, process 428
>> root@ubuntu-1404-x8664:~# service gssd restart
>> stop: Unknown instance:
>> gssd start/running, process 567
Unfortunately, this appears to be hardcoded values in the install script:
>> 290 if statestore.has_state('rpcidmapd'):
>> 291 enabled = statestore.restore_state('rpcidmapd',
'enabled')
>> 292 running = statestore.restore_state('rpcidmapd',
'running')
>> 293 rpcidmapd = ipaservices.knownservices.rpcidmapd
>> 294 if not enabled:
>> 295 rpcidmapd.disable()
>> 296 if not running:
>> 297 rpcidmapd.stop()
>> 298 if statestore.has_state('rpcgssd'):
>> 299 enabled = statestore.restore_state('rpcgssd', 'enabled')
>> 300 running = statestore.restore_state('rpcgssd', 'running')
>> 301 rpcgssd = ipaservices.knownservices.rpcgssd
Is Ubuntu not supported with FreeIPA? Is there an updated install script?
I installed the freeipa-client from public repos.
>> ii freeipa-client
3.3.4-0ubuntu3.1amd64FreeIPA
centralized identity framework -- client
>> ii python-freeipa
3.3.4-0ubuntu3.1amd64FreeIPA
centralized identity framework -- python modules
Thanks,
Jon A
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [freeipa-users] How to manage Linux attributes for AD users (e.g. how do I set a shell for an AD User)
Hi Josh, I think that's exactly the problem though, how does one set POSIX attributes in AD from Linux guests? The RedHat documentation has a big warning that the Microsoft IDMU has been deprecated. >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html Surely you're not suggesting manually editing the AD Schema...? Also, another use case is ssh keys. I'm not even sure that IDMU has an option for "authorized_keys" (and FreeIPA doesn't seem to honor what's in .ssh/authorized keys... when that file exists I always get prompted for a password then access denied). I'm sure there are other per-user level attributes that are required, home directory perhaps?, but the two big ones are shell and ssh keys. I can't be the only one who has a use case for managing these attributes for Active Directory users. Thanks, Jon A On Thu, Feb 4, 2016 at 1:30 PM, Baird, Josh <jba...@follett.com> wrote: > For AD users, I believe you have two options. > > > > 1) Set the POSIX value on the user in AD for the shell > > 2) Set the following in your client's sssd.conf: > > > > [nss] > > override_shell = /bin/bash > > > > This would obviously be global per IPA client. > > > > Josh > > > > *From:* freeipa-users-boun...@redhat.com [mailto: > freeipa-users-boun...@redhat.com] *On Behalf Of *Jon > *Sent:* Thursday, February 04, 2016 2:25 PM > *To:* freeipa-users@redhat.com > *Subject:* [Freeipa-users] [freeipa-users] How to manage Linux attributes > for AD users (e.g. how do I set a shell for an AD User) > > > > Hello, > > > > How does one manage linux attributes for AD users. Primarily in my case, > I'm looking to change the default shell to either Bash or KSH depending on > the user. > > > > I can create a .profile that either sources bash or ksh rcs... e.g.: > > > > >> $ cat ~/.profile > > >> bash ./.bashrc > > > > This is really less than ideal and just seems like the wrong way to do it, > especially considering we have a tool like FreeIPA. > > > > According to Microsoft > <http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx>, > they are no longer supporting Identity Management for Unix. Does FreeIPA > honor the attributes set by IDMU? Even if it's deprecated, I suppose we > could continue to use it... > > This previous FreeIPA thread > <https://www.redhat.com/archives/freeipa-users/2013-April/msg7.html> seems > to indicate you can force the shell for anyone in the domain logging into > that machine, but we have some users who prefer one shell over the other. > > > > I did what I believe to be standard, I created a security group in AD, > added that group to a group an external group in FreeIPA, then made an > internal group and added the external group as a member to the internal > group. Unfortunately, this doesn't seem to expose any of the AD attributes > for management. Or maybe I'm just misunderstanding... > > > > Any thoughts? How are you managing individual AD user settings? > > > > Thanks, > > Jon A > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] [freeipa-users] Problem managing Autofs with FreeIPA
54361398.944:96): user pid=1632 uid=0 auid=0 ses=1 msg='op=PAM:setcred acct="j...@mydomain.com" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success' >> Feb 1 16:16:39 ipa-test01 kernel: type=1123 audit(1454361399.976:97): user pid=1635 uid=0 auid=0 ses=1 msg='cwd="/root" cmd="-sh" terminal=pts/0 res=success' >> Feb 1 16:16:39 ipa-test01 kernel: type=1103 audit(1454361399.976:98): user pid=1635 uid=0 auid=0 ses=1 msg='op=PAM:setcred acct="j...@mydomain.com" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success' >> Feb 1 16:16:39 ipa-test01 kernel: type=1105 audit(1454361399.982:99): user pid=1635 uid=0 auid=0 ses=1 msg='op=PAM:session_open acct=" j...@mydomain.com" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success' >> Feb 1 16:16:39 ipa-test01 kernel: type=1106 audit(1454361399.983:100): user pid=1635 uid=0 auid=0 ses=1 msg='op=PAM:session_close acct=" j...@mydomain.com" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success' >> Feb 1 16:16:39 ipa-test01 kernel: type=1104 audit(1454361399.983:101): user pid=1635 uid=0 auid=0 ses=1 msg='op=PAM:setcred acct="j...@mydomain.com" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success' These are the corresponding attempts to change user: >> [root@ipa-test01 ~]# sudo -iu j...@mydomain.com >> sudo: unable to change directory to /home/mydomain.com/jona: No such file or directory >> sudo: unable to execute /bin/sh: No such file or directory >> [root@ipa-test01 ~]# sudo -iu j...@mydomain.com >> sudo: unable to change directory to /home/mydomain.com/jona: No such file or directory >> sudo: unable to execute /bin/sh: No such file or directory >> [root@ipa-test01 ~]# sudo -iu j...@mydomain.com >> sudo: unable to change directory to /home/mydomain.com/jona: No such file or directory >> sudo: unable to execute /bin/sh: No such file or directory So clearly, it's not mounting the homedir, but I'm not producing any kind of error message... Note that I have no problem mounting this directory manually (with or without an entry in my /etc/hosts): >> [root@ipa-test01 ~]# mount home-dir01.sub.domain.mydomain.com:/exports/home/ /home/ >> home-dir01.sub.domain.mydomain.com:/exports/home/ on /home type nfs (rw,vers=4,addr=2605:1c00:50f2:300a::56ff::442a,clientaddr=2605:1c00:50f2:300a::56ff::dbf6) Interestingly enough, when I create an /etc/auto.home, I'm able to mount my home dir without issues: >> [root@ipa-test01 ~]# cat /root/auto.home >> * -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp 192.168.10.250: /exports/home/& >> [root@ipa-test01 ~]# cp /root/auto.home /etc/ >> [root@ipa-test01 ~]# service autofs restart >> Stopping automount:[ OK ] >> Starting automount:[ OK ] >> [root@ipa-test01 ~]# sudo -iu j...@mydomain.com >> -sh-4.1$ pwd >> /home/mydomain.com/jona >> -sh-4.1$ mount | grep home >> /dev/mapper/rootvg-home on /home type ext4 (rw,nodev) >> 192.168.10.250:/exports/home/mydomain.com on /home/mydomain.com type nfs (rw,nosuid,soft,intr,rsize=8192,wsize=8192,tcp,sloppy,vers=4,addr=192.168.10.250,clientaddr=192.168.10.84) >> [root@ipa-test01 ~]# rm /etc/auto.home >> rm: remove regular file `/etc/auto.home'? y >> [root@ipa-test01 ~]# service autofs restart >> Stopping automount:[ OK ] >> Starting automount:[ OK ] >> [root@ipa-test01 ~]# sudo -iu j...@mydomain.com >> sudo: unable to change directory to /home/mydomain.com/jona: No such file or directory >> sudo: unable to execute /bin/sh: No such file or directory But I think this counts as part of the "files" in the line in my nsswitch.conf: >> [root@ipa-test01 ~]# cat /etc/nsswitch.conf | grep automount >> automount: sss files If I'm understanding correctly, the server should pull all of this information from LDAP on where to mount from/to and should not have a local configuration file for dealing with "LDAP Managed" mount points. At this point I'm stumped. None of the guides or previous mailing lists seem to discuss this specific issue... Can anyone provide some further ideas for troubleshooting my setup please? Also, because I'm working with an AD domain, my login credentials are j...@mydomain.com which means my home directory is /home/mydomain.com/jona, so when any user from the AD domain logs into this server, all home dirs will be mounted since we're mounting home-dir01:/exports/home/mydomain.com to ipa-test01:/home/mydomain.com, right? Is there anyway to force more granular mounting of home directories? Thanks for the assistance! Best Regards, Jon A -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)
Hi Alexander, I've changed the names to anonymize the logs, but have maintained the structure of the names. This is how I've got the hostname configured: >> [root@freeipaserver ~]# hostname >> freeipaserver >> [root@freeipaserver ~]# hostname -a >> freeipaserver >> [root@freeipaserver ~]# hostname -f >> freeipaserver.my.sub.domain.com >> [root@freeipaserver ~]# cat /etc/hosts >> 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 >> ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 >> >> 192.168.1.10 freeipaserver.my.sub.domain.com freeipaserver >> >> [root@freeipaserver ~]# cat /etc/sysconfig/network >> DNS1=192.168.10.1 >> NISDOMAIN=my.sub.domain.com >> GATEWAY=192.168.1.1 >> SEARCH=my.sub.domain.com >> DOMAIN=my.sub.domain.com (NISDOMAIN and DOMAIN were previous attempts to set the domain. I can't just set /etc/hostname to "freeipaserver" as a bash prompt that says [ r...@freeipaserver.my.sub.domain.com ~] is unacceptable to our ops teams, and we can't rewrite our bashrcs (these are company standards). However, based on the instructions, I do believe I've set the hostname correctly unless something has changed between RHEL6 and RHEL7). Thanks, Jon A On Wed, Jan 27, 2016 at 2:44 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 27 Jan 2016, Jon wrote: > >> Hello, >> >> Thanks for your feedback. >> >> So I reran `ipa-adtrust-install` and got a core dump from samba that there >> was no space left on the device...? >> >> A little digging showed that /var/log had filled up with files named >> "core.X" in /var/log/samba/cores/winbindd. So I removed all of them >> and reran `ipa-adtrust-install --add-sids` which continues to fail on >> starting CIFS services. Debug information shows that it's the smb service >> that isn't starting: >> >> [22/22]: starting CIFS services >>>> ipa : DEBUGStarting external process >>>> ipa : DEBUGargs='/bin/systemctl' 'start' 'smb.service' >>>> ipa : DEBUGProcess finished, return code=1 >>>> ipa : DEBUGstdout= >>>> ipa : DEBUGstderr=Job for smb.service failed because the >>>> >>> control process exited with error code. See "systemctl status >> smb.service" >> and "journalctl -xe" for details. >> >>> >>>> ipa : CRITICAL CIFS services failed to start >>>> ipa : DEBUG duration: 16 seconds >>>> ipa : DEBUGDone configuring CIFS. >>>> >>> >> Looking at the samba logs, I see: >> >> Jan 27 13:19:48 freeipa01enwdco smbd[18300]: [2016/01/27 >>>> >>> 13:19:48.482378, 0] ipa_sam.c:4208(bind_callback_cleanup) >> >>> Jan 27 13:19:48 freeipa01enwdco smbd[18300]: kerberos error: >>>> >>> code=-1765328203, message=Keytab contains no suitable keys for cifs/ >> freeipaser...@my.sub.domain.com >> > ^ is this the real name for the server? E.g. it is non-fully qualified > one here? What does your `hostname` command show? > > > Jan 27 13:19:49 freeipa01enwdco smbd[18300]: [2016/01/27 >>>> >>> 13:19:49.482818, 0] ipa_sam.c:4520(pdb_init_ipasam) >> >>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: Failed to get base DN. >>>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: [2016/01/27 >>>> >>> 13:19:49.482909, 0] >> ../source3/passdb/pdb_interface.c:179(make_pdb_method_name) >> >>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: pdb backend >>>> >>> ipasam:ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket did not >> correctly init (error was NT_STATUS_UNSUCCESSFUL) >> >>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: smb.service: main process >>>> >>> exited, code=exited, status=1/FAILURE >> >>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: Failed to start Samba SMB >>>> >>> Daemon. >> >>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: Unit smb.service entered >>>> >>> failed state. >> >>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: smb.service failed. >>>> >>> >> >> I tried following the trust debugging instructions here: >> http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust >> >> But it fails on the step `systemctl start smb winbind` >> >> # systemctl stop smb winbind >>>> # net conf setparm
Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)
Hello, Thanks for your feedback. So I reran `ipa-adtrust-install` and got a core dump from samba that there was no space left on the device...? A little digging showed that /var/log had filled up with files named "core.X" in /var/log/samba/cores/winbindd. So I removed all of them and reran `ipa-adtrust-install --add-sids` which continues to fail on starting CIFS services. Debug information shows that it's the smb service that isn't starting: >> [22/22]: starting CIFS services >> ipa : DEBUGStarting external process >> ipa : DEBUGargs='/bin/systemctl' 'start' 'smb.service' >> ipa : DEBUGProcess finished, return code=1 >> ipa : DEBUGstdout= >> ipa : DEBUGstderr=Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details. >> >> ipa : CRITICAL CIFS services failed to start >> ipa : DEBUG duration: 16 seconds >> ipa : DEBUGDone configuring CIFS. Looking at the samba logs, I see: >> Jan 27 13:19:48 freeipa01enwdco smbd[18300]: [2016/01/27 13:19:48.482378, 0] ipa_sam.c:4208(bind_callback_cleanup) >> Jan 27 13:19:48 freeipa01enwdco smbd[18300]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ freeipaser...@my.sub.domain.com >> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: [2016/01/27 13:19:49.482818, 0] ipa_sam.c:4520(pdb_init_ipasam) >> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: Failed to get base DN. >> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: [2016/01/27 13:19:49.482909, 0] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name) >> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) >> Jan 27 13:19:49 freeipa01enwdco systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE >> Jan 27 13:19:49 freeipa01enwdco systemd[1]: Failed to start Samba SMB Daemon. >> Jan 27 13:19:49 freeipa01enwdco systemd[1]: Unit smb.service entered failed state. >> Jan 27 13:19:49 freeipa01enwdco systemd[1]: smb.service failed. I tried following the trust debugging instructions here: http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust But it fails on the step `systemctl start smb winbind` >> # systemctl stop smb winbind >> # net conf setparm global 'log level' 100 >> # nano /usr/share/ipa/smb.conf.empty >> # rm /var/log/samba/log.* >> # systemctl start smb winbind >> Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details. Which produces the exact same error listed above. in /var/log/samba/log.smbd I see what appears to be a stack trace, I see the same exact error above as well as the error about the socket not initing correctly: >> [2016/01/27 13:26:21.606257, 0, pid=18344, effective(0, 0), real(0, 0)] ipa_sam.c:4208(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/freeipaser...@my.sub.domain.com >> [2016/01/27 13:26:21.606422, 2, pid=18344, effective(0, 0), real(0, 0)] ../source3/lib/smbldap.c:998(smbldap_connect_system) failed to bind to server ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket with dn="[Anonymous bind]" Error: Local error (unknown) >> [2016/01/27 13:26:22.606842, 0, pid=18344, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name) pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) So I think the problem is more fundamental than trusts as samba won't even start. Is there any documentation or does anyone have some good tricks for troubleshooting samba? Thanks, Jon A On Wed, Jan 20, 2016 at 4:57 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 20 Jan 2016, Anon Lister wrote: > >> So I had the same problem. For me it ended up being that some attribute >> was >> not created correctly in 389 using the instructions in the guide. I don't >> remember what it was off the top of my head. Something about a default >> user >> or group SID I think. Had to turn samba logging up. Eventually it shows >> the >> attribute it is failing on. I ended up manually adding it with vildap and >> it worked fine after that. If noone else gets it I'll poke around and see >> if I can find what it was, took me several hours to debug due to the >> somewhat misleading error message. >> > The message is the
Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)
Hi Alexander, Huzzah! Thanks for explaining how gethostname() works. At least armed with this information I can make a case to the powers that be why we need to make a change like this. So does this mean that all servers should have a fqdn in /etc/hostname or in the case of RHEL6 setting the HOSTNAME variable in /etc/sysconfig/network? Thanks a ton for your help! Best Regards, Jon A On Wed, Jan 27, 2016 at 3:16 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 27 Jan 2016, Jon wrote: > >> Hi Alexander, >> >> I've changed the names to anonymize the logs, but have maintained the >> structure of the names. >> >> This is how I've got the hostname configured: >> >> [root@freeipaserver ~]# hostname >>>> freeipaserver >>>> [root@freeipaserver ~]# hostname -a >>>> freeipaserver >>>> [root@freeipaserver ~]# hostname -f >>>> freeipaserver.my.sub.domain.com >>>> [root@freeipaserver ~]# cat /etc/hosts >>>> 127.0.0.1 localhost localhost.localdomain localhost4 >>>> >>> localhost4.localdomain4 >> >>> ::1 localhost localhost.localdomain localhost6 >>>> >>> localhost6.localdomain6 >> >>> >>>> 192.168.1.10 freeipaserver.my.sub.domain.com freeipaserver >>>> >>>> [root@freeipaserver ~]# cat /etc/sysconfig/network >>>> DNS1=192.168.10.1 >>>> NISDOMAIN=my.sub.domain.com >>>> GATEWAY=192.168.1.1 >>>> SEARCH=my.sub.domain.com >>>> DOMAIN=my.sub.domain.com >>>> >>> >> (NISDOMAIN and DOMAIN were previous attempts to set the domain. I can't >> just set /etc/hostname to "freeipaserver" as a bash prompt that says [ >> r...@freeipaserver.my.sub.domain.com ~] is unacceptable to our ops teams, >> and we can't rewrite our bashrcs (these are company standards). However, >> based on the instructions, I do believe I've set the hostname correctly >> unless something has changed between RHEL6 and RHEL7). >> > So this is not going to work, sorry. > > One way or another, Kerberos requires you to have uniform names, so > freeipaserver and freeipaserver.my.sub.domain.com are different names > and thus cifs/freeipaserver@REALM and > cifs/freeipaserver.my.sub.domain.com@REALM > are two different Kerberos principals. FreeIPA KDC does not support > aliases. > > Almost all software using Kerberos is retrieving hostname using > gethostname() call which, in turn, uses uname() system call and copies > hostname from a nodename element of the returned structure. There is no > code that complements nodename with default domain or something, so > that output has to be fully qualified or ALL hosts in your deployment > would need to non-fully qualified. > > `hostname` output is essentially giving you what uname() returns in > nodename, while `hostname -f` appends default domain to it. > > Company standards may be important but in this case your bashrc code is > clearly based on something that is not really taking Kerberos reality > into account. > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
