On Sat, Aug 19, 2017 at 06:41:28AM +0000, Craig H Silva (CenITex) via 
FreeIPA-users wrote:
> The circumstances/environment are a little unusual.
> 
> We have a secure zone in which Windows AD has read-only domain controllers as 
> a security measure which we use to authenticate against. The read-write DC's 
> are firewalled off but are assigned the core roles (I'm more linux than 
> Windows - I forget what roles they are).
> 
> So we have a rhel 7.2 system sssd -1.13.0-40 and it has the following in its 
> sssd.conf:
> 
> dns_discovery_domain = XX-XXX-XXX-PRIV._sites.domain.xx.xx.xx
> ad_site = XX-XXX-XXX-PRIV
> ad_enable_dns_sites = true
> 
> and it happily identifies the RODC's in the site XX-XXX-XXX-PRIV with SRV 
> query to _ldap._tcp. XX-XXX-XXX-PRIV._sites. domain.xx.xx.xx
> 
> On the other hand we have a SLES 12 Sp2 system in the same zone and when we 
> configure it the same way, it cannot discover the RODC's in the 
> XX-XXX-XXX-PRIV site, so we have worked around by putting them in as 
> ad_servers.
> 
> The sles 12 sp2 version of sssd is sssd-1.11.5.1

Yes, that's quite old..

> 
> Our preference is to not have to rely on hardcoded server addresses so the 
> rhel config is preferred and I imagine the SLES one will catch up as the 
> updated versions are released on SLES, however I was wondering how AD site 
> discovery worked and whether my assumption that the firewall is blocking that 
> discovery (i. e. putting the site into dns_discovery_domain setting) is 
> correct.

No, I think your workaround is correct. Either use the
dns_discovery_domain or hardcode them as ad_servers.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to