Can you provide more information here? We DO have support for automatic detection based on DNS SRV records. Does a "DC locator" use some other mechanism?
Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin. I have machine in Prague and I want it to join CONTOSO.COM. Now if I used: dns_discovery_domain = contoso.com sssd would try to connect to any DC in the domain - even the one in Dublin, completely ignoring sites. I have to use: dns_discovery_domain = Prague._sites.contoso.com To force it to use Prague DCs only.My understanding is, that the "DC locator" tries to communicate with DC's first to determine local site and remote DC's are only used if no valid/working DC can be found in the local site (Prague in this case).
I'm not sure what you mean by this? Do you mean you don't want to have to specify ldap_schema = rfc2307bis and have it instead auto-detected? That's trickier than it sounds.
well this is a really small one. I would say it would be perfectly sufficient to introduce something like: ldap_schema=msrfc2307bis which would be equivalent to: ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_schema = rfc2307bis also, the ldap bind mechanism negotiation could be potentially improved, now I have to explicitly specify ldap_sasl_mech = GSSAPI otherwise sssd tries to use SASL/EXTERNAL which fails when communicating to AD controllers.
What features of the krb5 library do you mean? SSSD provides a locator plugin that manages several features of the krb5 library, including kinit and kpasswd.
The thing is that not all Linux apps are using sssd so we have to remember to configure /etc/krb5.conf. too. When using Centrify, all I need to do is: # adjoin contoso.com ..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM modules, eeeverything. If I wanted to use sssd for the same job I have to: 1. configure (manually) /etc/samba/smb.conf 2. net ads join (- just to get machine creds) 3. configure (manually) sssd.conf 4. configure (manually) PAM modules 5. configure (manually) krb5.conf I understand that much of this is probably not sssd duty, but it would be helpful to have some script around which would do the same job. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: [email protected]. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
