From 15890ccdef55168e9753ff6957ce64096837c627 Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Fri, 11 Oct 2019 07:35:35 +0200 Subject: Allow kerberos authentication with short (non-FQDN) names --- roles/ands_idm/handlers/main.yml | 2 ++ roles/ands_idm/tasks/setup_ipa.yml | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 roles/ands_idm/handlers/main.yml diff --git a/roles/ands_idm/handlers/main.yml b/roles/ands_idm/handlers/main.yml new file mode 100644 index 0000000..a83718c --- /dev/null +++ b/roles/ands_idm/handlers/main.yml @@ -0,0 +1,2 @@ +- name: restart sssd + shell: systemctl restart sssd diff --git a/roles/ands_idm/tasks/setup_ipa.yml b/roles/ands_idm/tasks/setup_ipa.yml index 06fe6da..7641670 100644 --- a/roles/ands_idm/tasks/setup_ipa.yml +++ b/roles/ands_idm/tasks/setup_ipa.yml @@ -16,5 +16,9 @@ command: "/usr/sbin/ipa-client-install -p admin -w {{ config.ands_idm_admin_password | quote }} --hostname={{ hostname.stdout }} --domain={{ ands_domain }} --server={{ ands_idm_server }} --enable-dns-updates --mkhomedir --request-cert --unattended" when: - ipa_check.rc != 0 - +# This may break krb authentication for users with exsiting tickets all together until idm server is restarted +- name: "Enable hostname canonicalization" + lineinfile: path="/etc/krb5.conf" regexp="dns_canonicalize_hostname" line=" dns_canonicalize_hostname = true" state="present" + notify: + - restart sssd -- cgit v1.2.3