The circumstances/environment are a little unusual.

We have a secure zone in which Windows AD has read-only domain controllers as a 
security measure which we use to authenticate against. The read-write DC's are 
firewalled off but are assigned the core roles (I'm more linux than Windows - I 
forget what roles they are).

So we have a rhel 7.2 system sssd -1.13.0-40 and it has the following in its 

dns_discovery_domain = XX-XXX-XXX-PRIV._sites.domain.xx.xx.xx
ad_site = XX-XXX-XXX-PRIV
ad_enable_dns_sites = true

and it happily identifies the RODC's in the site XX-XXX-XXX-PRIV with SRV query 
to _ldap._tcp. XX-XXX-XXX-PRIV._sites. domain.xx.xx.xx

On the other hand we have a SLES 12 Sp2 system in the same zone and when we 
configure it the same way, it cannot discover the RODC's in the XX-XXX-XXX-PRIV 
site, so we have worked around by putting them in as ad_servers.

The sles 12 sp2 version of sssd is sssd-

Our preference is to not have to rely on hardcoded server addresses so the rhel 
config is preferred and I imagine the SLES one will catch up as the updated 
versions are released on SLES, however I was wondering how AD site discovery 
worked and whether my assumption that the firewall is blocking that discovery 
(i. e. putting the site into dns_discovery_domain setting) is correct.


Craig Silva
Specialist Engineer
CenItex | Level 15, 80 Collins Street, Melbourne 3000
ph: +61 3 8688 1297 | mob: +61 429 365 609 | email:<> |<>

Supporting a modern, agile and productive public sector through what we value: 
Accountability, Collaboration, Respect, Initiative, Courage.
Any personal or sensitive information contained in this email and attachments 
must be handled in accordance with the Victorian Privacy and Data Protection 
Act 2014, the Health Records Act 2001 or the Privacy Act 1988 (Commonwealth), 
as applicable.

This email, including all attachments, is confidential.  If you are not the 
intended recipient, you must not disclose, distribute, copy or use the 
information contained in this email or attachments.  Any confidentiality or 
privilege is not waived or lost because this email has been sent to you in 
error. If you have received it in error, please let us know by reply email, 
delete it from your system and destroy any copies.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to