The circumstances/environment are a little unusual. We have a secure zone in which Windows AD has read-only domain controllers as a security measure which we use to authenticate against. The read-write DC's are firewalled off but are assigned the core roles (I'm more linux than Windows - I forget what roles they are).
So we have a rhel 7.2 system sssd -1.13.0-40 and it has the following in its sssd.conf: dns_discovery_domain = XX-XXX-XXX-PRIV._sites.domain.xx.xx.xx ad_site = XX-XXX-XXX-PRIV ad_enable_dns_sites = true and it happily identifies the RODC's in the site XX-XXX-XXX-PRIV with SRV query to _ldap._tcp. XX-XXX-XXX-PRIV._sites. domain.xx.xx.xx On the other hand we have a SLES 12 Sp2 system in the same zone and when we configure it the same way, it cannot discover the RODC's in the XX-XXX-XXX-PRIV site, so we have worked around by putting them in as ad_servers. The sles 12 sp2 version of sssd is sssd-18.104.22.168 Our preference is to not have to rely on hardcoded server addresses so the rhel config is preferred and I imagine the SLES one will catch up as the updated versions are released on SLES, however I was wondering how AD site discovery worked and whether my assumption that the firewall is blocking that discovery (i. e. putting the site into dns_discovery_domain setting) is correct. Cheers Craig Silva Specialist Engineer CenItex | Level 15, 80 Collins Street, Melbourne 3000 ph: +61 3 8688 1297 | mob: +61 429 365 609 | email: craig.si...@cenitex.vic.gov.au<mailto:craig.si...@cenitex.vic.gov.au> | www.cenitex.vic.gov.au<http://www.cenitex.vic.gov.au/> Supporting a modern, agile and productive public sector through what we value: Accountability, Collaboration, Respect, Initiative, Courage. _________________________________________________________________________________________ Any personal or sensitive information contained in this email and attachments must be handled in accordance with the Victorian Privacy and Data Protection Act 2014, the Health Records Act 2001 or the Privacy Act 1988 (Commonwealth), as applicable. This email, including all attachments, is confidential. If you are not the intended recipient, you must not disclose, distribute, copy or use the information contained in this email or attachments. Any confidentiality or privilege is not waived or lost because this email has been sent to you in error. If you have received it in error, please let us know by reply email, delete it from your system and destroy any copies.
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org