On Tue, Aug 07, 2018 at 04:51:00PM -0000, Ryan Slominski via FreeIPA-users wrote: > Hi Robbie, > What is the proper way to configure an IPA host so that the sshd will use > the FQDN? I've noticed that IPA client installer modifies the file > /etc/krb5.conf and adds the lines:
Does the 'hostname' command return only testclient2 or the FQDN? If it only returns the short name please set it to the FQDN, restart sshd and try again. It is expected on IPA clients that the 'hostname' command returns the FQDN. HTH bye, Sumit > > dns_canonicalize_hostname = false > rdns = false > > If I comment out those lines then SSO works. Alternatively I can modify the > /etc/ssh/sshd_config file and add: > > GSSAPIStrictAcceptorCheck no > > That will work somewhat - as long as the client uses a FQDN. However, either > fix requires undoing something the IPA installer set. > > Is there a security reason or something that motivates IPA to override > Kerberos defaults and disable hostname canonicalization? > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/74T7EOAFV7PYGVRJI6G5UU7RKNLSIQ67/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/G5JAMBMSUCFPHLT6OZXFYECT6DLLZDHR/
