[Freeipa-users] Re: conflicting hostname requirement from SAP
On to, 11 loka 2018, Dan Haskell via FreeIPA-users wrote: On 10/10/18 5:03 PM, Dan Haskell via FreeIPA-users wrote: On 10/10/18 4:10 PM, John Keates wrote: I’d say: don’t run FreeIPA server on the same install as the SAP server. So, the fqdn requirement doesn't apply to the client? Awesome. Thank you very much. Dan [snip] According to the link below, clients *have* to use FQDN. Not just IPA servers. https://www.digitalocean.com/community/tutorials/how-to-configure-a-freeipa-client-on-centos-7 So, anyone know a way around this? Let us step aside and state the problem first. You want: - to enroll a machine to IPA realm and use SSSD to provide services on it? - to run SAP server on the machine you just enrolled? The second part requires that SAP server sees a hostname as a non-qualified one, correct? If those are two starting points, you can do the following on RHEL 7.5 or similar system (all I care here is a contemporary SSSD and other tools, with expected configuration paths). 1. Enroll machine into IPA realm Use fqdn here, as required, but after enrollment is completed, change SSSD configuration by adding [domain/example.com] # the client's FQDN ipa_hostname = fqdn.example.com 2. Change your hostname back to non-fqdn. hostnamectl set-hostname non-fqdn With these changes at least SSSD will be able to perform its duties. There are practical issues with this approach which I have not verified yet. For example, SUDO may choke on fqdn versus non-fqdn difference in its rules. For HBAC rules this shouldn't be a problem because the check is done by SSSD and we forced SSSD to use fqdn.example.com -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: conflicting hostname requirement from SAP
On 10/10/18 5:03 PM, Dan Haskell via FreeIPA-users wrote: On 10/10/18 4:10 PM, John Keates wrote: I’d say: don’t run FreeIPA server on the same install as the SAP server. So, the fqdn requirement doesn't apply to the client? Awesome. Thank you very much. Dan [snip] According to the link below, clients *have* to use FQDN. Not just IPA servers. https://www.digitalocean.com/community/tutorials/how-to-configure-a-freeipa-client-on-centos-7 So, anyone know a way around this? Dan ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: conflicting hostname requirement from SAP
On 10/10/18 4:10 PM, John Keates wrote: I’d say: don’t run FreeIPA server on the same install as the SAP server. So, the fqdn requirement doesn't apply to the client? Awesome. Thank you very much. Dan ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: conflicting hostname requirement from SAP
I’d say: don’t run FreeIPA server on the same install as the SAP server. John > On 10 Oct 2018, at 23:16, Dan Haskell via FreeIPA-users > wrote: > > > > Per the FreeIPA quickstart guide: > > The rule about /etc/hosts is that the fully-qualified name must come first. > It should look like: > > 10.0.0.1 ipa.example.com ipa > > Our servers run SAP, which requires the reverse. An SAP server's canonical > name must be its short name. :( > > Is there any way to get freeipa to work with short names? I know it says > "must be fully qualified" several times in the docs... Suggestions? > Workarounds? Kludges? > > Dan > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org