On to, 11 loka 2018, Dan Haskell via FreeIPA-users wrote:
On 10/10/18 5:03 PM, Dan Haskell via FreeIPA-users wrote:
On 10/10/18 4:10 PM, John Keates wrote:
I’d say: don’t run FreeIPA server on the same install as the SAP server.
So, the fqdn requirement doesn't apply to the client? Awesome. Thank you very much.
Dan [snip]
According to the link below, clients *have* to use FQDN. Not just IPA servers.
https://www.digitalocean.com/community/tutorials/how-to-configure-a-freeipa-...
So, anyone know a way around this?
Let us step aside and state the problem first. You want: - to enroll a machine to IPA realm and use SSSD to provide services on it? - to run SAP server on the machine you just enrolled?
The second part requires that SAP server sees a hostname as a non-qualified one, correct?
If those are two starting points, you can do the following on RHEL 7.5 or similar system (all I care here is a contemporary SSSD and other tools, with expected configuration paths).
1. Enroll machine into IPA realm
Use fqdn here, as required, but after enrollment is completed, change SSSD configuration by adding
[domain/example.com] # the client's FQDN ipa_hostname = fqdn.example.com
2. Change your hostname back to non-fqdn. hostnamectl set-hostname non-fqdn
With these changes at least SSSD will be able to perform its duties.
There are practical issues with this approach which I have not verified yet. For example, SUDO may choke on fqdn versus non-fqdn difference in its rules. For HBAC rules this shouldn't be a problem because the check is done by SSSD and we forced SSSD to use fqdn.example.com