[Freeipa-users] Using subdomains (or dots) in hostnames
Jakub Hrozek
jhrozek at redhat.com
Thu Aug 29 17:36:32 UTC 2013
On Mon, Aug 19, 2013 at 04:05:40PM +0300, Thomas Raehalme wrote:
> Hi!
>
> We are in the process of deploying FreeIPA in our virtual environment.
> So far things are working smoothly and I am really impressed by the
> solution!
>
> One question has risen as we have added our first clients to the
> system. Because the total number of clients is 50 and going up, we
> have divided our servers to subdomains depending on the purpose of the
> server, ie. test servers in one subdomain, internal services on
> another and so on. There is, however, no need for each subdomain to
> have its own IPA server.
>
> Let's say we're using domain example.com. Adding clients a.example.com
> and b.example.com was smooth. Adding client a.sub1.example.com also
> had no problems until I tried to get sudoers from the IPA server
> (using SSSD and LDAP as suggested). The client fails to find any users
> matching the server name. Because the only difference compared to a
> fully functional server is the dot in the host name, that's probably
> the reason why no sudoers are found for the server in the subdomain?
>
> For IPA master I am using CentOS 6.4 and
> ipa-server-3.0.0-26.el6_4.4.x86_64. The clients are also CentOS 6.4
> with ipa-client-3.0.0-26.el6_4.4.x86_64.
>
> Any help is appreciated! Please let me know if providing any piece of
> information helps.
>
> Best regards,
> Thomas
Sorry Thomas, the subject line fooled me and I didn't see this might be
a SSSD issue.
What do you use in nsswitch.conf for sudoers? ldap or sss? If sss, can
you also paste your sssd.conf?
Can you paste the output of sudo along with the -D parameter to get some
debugging?
More information about the Freeipa-users
mailing list