Hi there,
we're using ipa-server-4.4.0 (without its own DNS) and are facing the situation with A/CNAME host.
Basically a host is installed with CNAME as the OS, and IPA is aware of only A record since host is joined to IPA domain with its A record. The A record is member of proper host group and there is relevant sudo policy, but that doesn't work since CNAME is not added to IPA domain.
Is there any better resolution for this, except adding CNAME to IPA domain and to relevant hostgroup.
This command as expected reports error. # ipa host-show <CNAME> ipa: ERROR: <CNAME>: host not found
and command
# ipa host-show <A_record>
gives expected output ...
Host name: <FQDN> Principal name: host/<FQDN>@<DOMAIN> etc
thanks, Zarko
On Wed, Aug 30, 2017 at 07:21:11PM +0000, Z D via FreeIPA-users wrote:
Hi there,
we're using ipa-server-4.4.0 (without its own DNS) and are facing the situation with A/CNAME host.
Basically a host is installed with CNAME as the OS, and IPA is aware of only A record since host is joined to IPA domain with its A record. The A record is member of proper host group and there is relevant sudo policy, but that doesn't work since CNAME is not added to IPA domain.
Is there any better resolution for this, except adding CNAME to IPA domain and to relevant hostgroup.
This command as expected reports error. # ipa host-show <CNAME> ipa: ERROR: <CNAME>: host not found
and command
# ipa host-show <A_record>
gives expected output ...
Host name: <FQDN> Principal name: host/<FQDN>@<DOMAIN> etc
Does ipa_hostname in sssd.conf point to cname (or, the hostname registered with IPA) ?
Does ipa_hostname in sssd.conf point to cname (or, the hostname registered with IPA) ?
It points to the DNS A record, the one that is registered with IPA.
________________________________ From: Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Wednesday, August 30, 2017 12:26:40 PM To: freeipa-users@lists.fedorahosted.org Cc: Jakub Hrozek Subject: [Freeipa-users] Re: sudo policy doesn't work since host is installed with CNAME
On Wed, Aug 30, 2017 at 07:21:11PM +0000, Z D via FreeIPA-users wrote:
Hi there,
we're using ipa-server-4.4.0 (without its own DNS) and are facing the situation with A/CNAME host.
Basically a host is installed with CNAME as the OS, and IPA is aware of only A record since host is joined to IPA domain with its A record. The A record is member of proper host group and there is relevant sudo policy, but that doesn't work since CNAME is not added to IPA domain.
Is there any better resolution for this, except adding CNAME to IPA domain and to relevant hostgroup.
This command as expected reports error. # ipa host-show <CNAME> ipa: ERROR: <CNAME>: host not found
and command
# ipa host-show <A_record>
gives expected output ...
Host name: <FQDN> Principal name: host/<FQDN>@<DOMAIN> etc
Does ipa_hostname in sssd.conf point to cname (or, the hostname registered with IPA) ? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Wed, Aug 30, 2017 at 08:51:24PM +0000, Z D wrote:
Does ipa_hostname in sssd.conf point to cname (or, the hostname registered with IPA) ?
It points to the DNS A record, the one that is registered with IPA.
Pavel, is a setup with a machne where the hostname in IPA doesn't match the machine hostname known to work?
On 08/31/2017 08:35 AM, Jakub Hrozek wrote:
On Wed, Aug 30, 2017 at 08:51:24PM +0000, Z D wrote:
Does ipa_hostname in sssd.conf point to cname (or, the hostname registered with IPA) ?
It points to the DNS A record, the one that is registered with IPA.
Pavel, is a setup with a machne where the hostname in IPA doesn't match the machine hostname known to work?
sudo should read ipa_hostname from /etc/sssd/sssd.conf so if this option is present, it should work. If it does not, we need sudo debug logs.
This is resolved by updating sudo package.
---> Package sudo.x86_64 0:1.8.6p7-11.el7 will be updated ---> Package sudo.x86_64 0:1.8.19p2-10.el7 will be an update
________________________________ From: Pavel Březina pbrezina@redhat.com Sent: Thursday, August 31, 2017 1:48:33 AM To: Jakub Hrozek; Z D Cc: FreeIPA users list Subject: Re: [Freeipa-users] Re: sudo policy doesn't work since host is installed with CNAME
On 08/31/2017 08:35 AM, Jakub Hrozek wrote:
On Wed, Aug 30, 2017 at 08:51:24PM +0000, Z D wrote:
Does ipa_hostname in sssd.conf point to cname (or, the hostname registered with IPA) ?
It points to the DNS A record, the one that is registered with IPA.
Pavel, is a setup with a machne where the hostname in IPA doesn't match the machine hostname known to work?
sudo should read ipa_hostname from /etc/sssd/sssd.conf so if this option is present, it should work. If it does not, we need sudo debug logs.
freeipa-users@lists.fedorahosted.org
-
Jakub Hrozek -
Pavel Březina -
Z D