Hi Robbie, What is the proper way to configure an IPA host so that the sshd will use the FQDN? I've noticed that IPA client installer modifies the file /etc/krb5.conf and adds the lines:
dns_canonicalize_hostname = false rdns = false If I comment out those lines then SSO works. Alternatively I can modify the /etc/ssh/sshd_config file and add: GSSAPIStrictAcceptorCheck no That will work somewhat - as long as the client uses a FQDN. However, either fix requires undoing something the IPA installer set. Is there a security reason or something that motivates IPA to override Kerberos defaults and disable hostname canonicalization? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/74T7EOAFV7PYGVRJI6G5UU7RKNLSIQ67/
