Can you provide more information here? We DO have support for automatic
detection based on DNS SRV records. Does a "DC locator" use some other

Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin.
I have machine in Prague and I want it to join CONTOSO.COM. Now if I used:

dns_discovery_domain =

sssd would try to connect to any DC in the domain - even the one in Dublin, 
completely ignoring sites.
I have to use:

dns_discovery_domain =

To force it to use Prague DCs only.
My understanding is, that the "DC locator" tries to communicate with DC's first to determine local site and remote DC's are only used if no valid/working DC can be found in the local site (Prague in this case).

I'm not sure what you mean by this? Do you mean you don't want to have
to specify ldap_schema = rfc2307bis and have it instead auto-detected?

That's trickier than it sounds.

well this is a really small one. I would say it would be perfectly sufficient 
to introduce something like:


which would be equivalent to:

ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_schema = rfc2307bis

also, the ldap bind mechanism negotiation could be potentially improved, now I 
have to explicitly specify

ldap_sasl_mech = GSSAPI

otherwise sssd tries to use SASL/EXTERNAL which fails when communicating to AD 

What features of the krb5 library do you mean? SSSD provides a locator
plugin that manages several features of the krb5 library, including
kinit and kpasswd.

The thing is that not all Linux apps are using sssd so we have to remember to 
configure /etc/krb5.conf. too.
When using Centrify, all I need to do is:

# adjoin

..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM modules, 
eeeverything. If I wanted to use sssd for the same job I have to:

1. configure (manually) /etc/samba/smb.conf
2. net ads join (- just to get machine creds)
3. configure (manually) sssd.conf
4. configure (manually) PAM modules
5. configure (manually) krb5.conf

I understand that much of this is probably not sssd duty, but it would be 
helpful to have some script around which would do the same job.

The information contained in this e-mail and in any attachments is confidential 
and is designated solely for the attention of the intended recipient(s). If you 
are not an intended recipient, you must not use, disclose, copy, distribute or 
retain this e-mail or any part thereof. If you have received this e-mail in 
error, please notify the sender by return e-mail and delete all copies of this 
e-mail from your computer system(s).
Please direct any additional queries to:
Thank You.
Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 
Registered Office: South County Business Park, Leopardstown, Dublin 18
Freeipa-users mailing list

Reply via email to