These are all great ideas, Ondrej. Would you mind opening RFE bugs for them? You can file them upstream at https://fedorahosted.org/sssd or in Red Hat Bugzilla https://bugzilla.redhat.com in the sssd component.
On Tue, 2011-10-04 at 16:29 +0200, Ondrej Valousek wrote: > > > Can you provide more information here? We DO have support for automatic > > detection based on DNS SRV records. Does a "DC locator" use some other > > mechanism? > > > Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin. > I have machine in Prague and I want it to join CONTOSO.COM. Now if I > used: > > dns_discovery_domain = contoso.com > > sssd would try to connect to any DC in the domain - even the one in > Dublin, completely ignoring sites. > I have to use: > > dns_discovery_domain = Prague._sites.contoso.com > > To force it to use Prague DCs only. > My understanding is, that the "DC locator" tries to communicate with > DC's first to determine local site and remote DC's are only used if no > valid/working DC can be found in the local site (Prague in this case). > > > I'm not sure what you mean by this? Do you mean you don't want to have > > to specify ldap_schema = rfc2307bis and have it instead auto-detected? > > > > That's trickier than it sounds. > > > well this is a really small one. I would say it would be perfectly > sufficient to introduce something like: > > ldap_schema=msrfc2307bis > > which would be equivalent to: > > ldap_user_object_class = user > ldap_group_object_class = group > ldap_user_home_directory = unixHomeDirectory > ldap_schema = rfc2307bis > > also, the ldap bind mechanism negotiation could be potentially > improved, now I have to explicitly specify > > ldap_sasl_mech = GSSAPI > > otherwise sssd tries to use SASL/EXTERNAL which fails when > communicating to AD controllers. > > > What features of the krb5 library do you mean? SSSD provides a locator > > plugin that manages several features of the krb5 library, including > > kinit and kpasswd. > > > The thing is that not all Linux apps are using sssd so we have to > remember to configure /etc/krb5.conf. too. > When using Centrify, all I need to do is: > > # adjoin contoso.com > > ..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM > modules, eeeverything. If I wanted to use sssd for the same job I have > to: > > 1. configure (manually) /etc/samba/smb.conf > 2. net ads join (- just to get machine creds) > 3. configure (manually) sssd.conf > 4. configure (manually) PAM modules > 5. configure (manually) krb5.conf > > I understand that much of this is probably not sssd duty, but it would > be helpful to have some script around which would do the same job. > > > ______________________________________________________________________ > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the > intended recipient(s). If you are not an intended recipient, you must > not use, disclose, copy, distribute or retain this e-mail or any part > thereof. If you have received this e-mail in error, please notify the > sender by return e-mail and delete all copies of this e-mail from your > computer system(s). Please direct any additional queries to: > [email protected]. Thank You. Silicon and Software Systems > Limited (S3 Group). Registered in Ireland no. 378073. Registered > Office: South County Business Park, Leopardstown, Dublin 18 > > ______________________________________________________________________ > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
