On Mon, Jul 31, 2017 at 05:47:11PM -0400, Alexandre Pitre wrote:
> Bull-eye Jakub, that did the trick. I should have posted for help on the
> mailing list sooner. Thanks you so much, you are saving my ass.
> It makes sense to increase the krb5_auth_timeout as my AD domain
> controllers servers are worldwide. Currently they exist in 3 regions: North
> America, Europe and Asia.
> The weird thing is it seems that when a linux host try to authenticate
> against my AD, it just randomly select an AD DC from the _kerberos  SRV
> records. Normally, on the windows side, if "sites and services" are setup
> correctly with subnet defined and binded to sites, a windows client
> shouldn't try to authenticate against an AD DC that isn't local to his
> site. This mechanism doesn't  seem to apply to my linux hosts. Is it
> because it's only available for windows hosts ? Is there another way to
> force linux clients to authenticate against AD DC local to their site ?

We haven't implemented the site selection for the clients yet, only for
servers, see:

> For now, I set the krb5_auth_timeout to 120 seconds. I had to completely
> stop sssd and start it again. A colleague mentioned that sssd has a known
> issue with restart apparently.

I'm not aware of any such issue..

> Also, I'm curious about ports requirements. Going from linux hosts to AD, I
> only authorize 88 TCP/UDP. I believe that's all I need.

Yes, from the clients, that should be enough. The servers need more
ports open:
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to