On 10/05/2011 04:02 AM, Ondrej Valousek wrote: > Submitted RFEs #743503,#743505,#743505 and #743509 into RedHat > bugzilla (I have no login to fedorahosted.org so I could not submit to > upstream). > Take them as a wish-list only and feel free to close them if they do > not fit into the IPA roadmap.
Thank you for taking time and doing this! > > Thanks! > Ondrej > > On 10/04/2011 04:47 PM, Stephen Gallagher wrote: >> These are all great ideas, Ondrej. Would you mind opening RFE bugs for >> them? You can file them upstream at https://fedorahosted.org/sssd or in >> Red Hat Bugzilla https://bugzilla.redhat.com in the sssd component. >> >> On Tue, 2011-10-04 at 16:29 +0200, Ondrej Valousek wrote: >>>> Can you provide more information here? We DO have support for automatic >>>> detection based on DNS SRV records. Does a "DC locator" use some other >>>> mechanism? >>>> >>> Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin. >>> I have machine in Prague and I want it to join CONTOSO.COM. Now if I >>> used: >>> >>> dns_discovery_domain = contoso.com >>> >>> sssd would try to connect to any DC in the domain - even the one in >>> Dublin, completely ignoring sites. >>> I have to use: >>> >>> dns_discovery_domain = Prague._sites.contoso.com >>> >>> To force it to use Prague DCs only. >>> My understanding is, that the "DC locator" tries to communicate with >>> DC's first to determine local site and remote DC's are only used if no >>> valid/working DC can be found in the local site (Prague in this case). >>> >>>> I'm not sure what you mean by this? Do you mean you don't want to have >>>> to specify ldap_schema = rfc2307bis and have it instead auto-detected? >>>> >>>> That's trickier than it sounds. >>>> >>> well this is a really small one. I would say it would be perfectly >>> sufficient to introduce something like: >>> >>> ldap_schema=msrfc2307bis >>> >>> which would be equivalent to: >>> >>> ldap_user_object_class = user >>> ldap_group_object_class = group >>> ldap_user_home_directory = unixHomeDirectory >>> ldap_schema = rfc2307bis >>> >>> also, the ldap bind mechanism negotiation could be potentially >>> improved, now I have to explicitly specify >>> >>> ldap_sasl_mech = GSSAPI >>> >>> otherwise sssd tries to use SASL/EXTERNAL which fails when >>> communicating to AD controllers. >>> >>>> What features of the krb5 library do you mean? SSSD provides a locator >>>> plugin that manages several features of the krb5 library, including >>>> kinit and kpasswd. >>>> >>> The thing is that not all Linux apps are using sssd so we have to >>> remember to configure /etc/krb5.conf. too. >>> When using Centrify, all I need to do is: >>> >>> # adjoin contoso.com >>> >>> ..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM >>> modules, eeeverything. If I wanted to use sssd for the same job I have >>> to: >>> >>> 1. configure (manually) /etc/samba/smb.conf >>> 2. net ads join (- just to get machine creds) >>> 3. configure (manually) sssd.conf >>> 4. configure (manually) PAM modules >>> 5. configure (manually) krb5.conf >>> >>> I understand that much of this is probably not sssd duty, but it would >>> be helpful to have some script around which would do the same job. >>> >>> >>> ______________________________________________________________________ >>> The information contained in this e-mail and in any attachments is >>> confidential and is designated solely for the attention of the >>> intended recipient(s). If you are not an intended recipient, you must >>> not use, disclose, copy, distribute or retain this e-mail or any part >>> thereof. If you have received this e-mail in error, please notify the >>> sender by return e-mail and delete all copies of this e-mail from your >>> computer system(s). Please direct any additional queries to: >>> [email protected]. Thank You. Silicon and Software Systems >>> Limited (S3 Group). Registered in Ireland no. 378073. Registered >>> Office: South County Business Park, Leopardstown, Dublin 18 >>> >>> ______________________________________________________________________ >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ------------------------------------------------------------------------ > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the > intended recipient(s). If you are not an intended recipient, you must > not use, disclose, copy, distribute or retain this e-mail or any part > thereof. If you have received this e-mail in error, please notify the > sender by return e-mail and delete all copies of this e-mail from your > computer system(s). Please direct any additional queries to: > [email protected]. Thank You. Silicon and Software Systems > Limited (S3 Group). Registered in Ireland no. 378073. Registered > Office: South County Business Park, Leopardstown, Dublin 18 > ------------------------------------------------------------------------ > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
