On ma, 06 marras 2017, SOLER SANGUESA Miguel via FreeIPA-users wrote:

I want to do a one-way AD trust on a multidatacenter environment. This
is the topology (2 AD servers and 2 IPA servers on each location
replicated each other):



The problem I see is that I execute "ipa trust-add" it will connect to
any of the 4 AD servers as it searchs for the SRV records, and I want
(I think is the best option) IPA servers to connect just the AD servers
on their datacenter: _SERVICE._PROTOCOL[.dc._msdcs]

and I want to use SRV records with sites like:
# dig +short -t SRV _kerberos._udp.dc1-Site._sites.ad.example.com.
0 100 88 AD1dc1.ad.example.com.
0 100 88 AD2dc1.ad.example.com.

# dig +short -t SRV _kerberos._udp.dc2-Site._sites.ad.example.com.
0 100 88 AD1dc2.ad.example.com.
0 100 88 AD2dc2.ad.example.com.

I was wondering creating the trust using the DNS of the site (only
resolves IPs of the AD servers on this datacenter), for example from
IPA1dc1.ipa.example.com: ipa trust-add --type=ad ad.example.com
--server=dc1.ad.example.com --trust-secret

But the problem here is: How I configure IPA servers on Datacenter2 to
connect to AD servers on datacenter2 (DNS: dc2.ad.example.com)?
Define sites in AD, then SSSD on IPA servers will use those sites.
With recent SSSD in RHEL/CentOS 7.4 one can use subdomains to pin to
speicific AD servers in sssd.conf.

When trust is established, we also use CLDAP ping to do discovery of a
domain controller closest to us. So if your AD configured properly, DCs
should be replying with an information about DCs closest to the client
(IPA server in it case).

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to