Can you provide more information here? We DO have support for automatic
detection based on DNS SRV records. Does a "DC locator" use some other
Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin.
I have machine in Prague and I want it to join CONTOSO.COM. Now if I used:
dns_discovery_domain = contoso.com
sssd would try to connect to any DC in the domain - even the one in Dublin,
completely ignoring sites.
I have to use:
dns_discovery_domain = Prague._sites.contoso.com
To force it to use Prague DCs only.
My understanding is, that the "DC locator" tries to communicate with DC's first to determine local site and remote DC's are only used if no
valid/working DC can be found in the local site (Prague in this case).
I'm not sure what you mean by this? Do you mean you don't want to have
to specify ldap_schema = rfc2307bis and have it instead auto-detected?
That's trickier than it sounds.
well this is a really small one. I would say it would be perfectly sufficient
to introduce something like:
which would be equivalent to:
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_schema = rfc2307bis
also, the ldap bind mechanism negotiation could be potentially improved, now I
have to explicitly specify
ldap_sasl_mech = GSSAPI
otherwise sssd tries to use SASL/EXTERNAL which fails when communicating to AD
What features of the krb5 library do you mean? SSSD provides a locator
plugin that manages several features of the krb5 library, including
kinit and kpasswd.
The thing is that not all Linux apps are using sssd so we have to remember to
configure /etc/krb5.conf. too.
When using Centrify, all I need to do is:
# adjoin contoso.com
..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM modules,
eeeverything. If I wanted to use sssd for the same job I have to:
1. configure (manually) /etc/samba/smb.conf
2. net ads join (- just to get machine creds)
3. configure (manually) sssd.conf
4. configure (manually) PAM modules
5. configure (manually) krb5.conf
I understand that much of this is probably not sssd duty, but it would be
helpful to have some script around which would do the same job.
The information contained in this e-mail and in any attachments is confidential
and is designated solely for the attention of the intended recipient(s). If you
are not an intended recipient, you must not use, disclose, copy, distribute or
retain this e-mail or any part thereof. If you have received this e-mail in
error, please notify the sender by return e-mail and delete all copies of this
e-mail from your computer system(s).
Please direct any additional queries to: communicati...@s3group.com.
Silicon and Software Systems Limited (S3 Group). Registered in Ireland no.
Registered Office: South County Business Park, Leopardstown, Dublin 18
Freeipa-users mailing list