---------- Forwarded message ---------- From: Михаил А <avdush...@gmail.com> Date: 2013/10/14 Subject: Re: [Freeipa-users] (no subject) To: d...@redhat.com
Simplify the circuit. I have a windows server DC, IPA replica server. My job is to authenticate the user windows to your account on the client fedora and redhat. As I understand it when logging on IPA server running windows account - there is a request for vigdovs DC, found on the SRV record in DNS. Because the forest I site section in which is1 windows server and 1 IPA server, but at the request IPA server is not always refers to the neighbor windows dealing center I found this in the log ssssd at debug level 5.We do not have network connectivity between sites, there is a single point-to-site, where network connectivity is available. Trust between the domains windows and IPA available. Log in to the central site, where there is network connectivity runs great, for example (ssh -l winuser@windomain ipa.client or ipa-replica-server -----OK) 2013/10/12 Dmitri Pal <d...@redhat.com> > On 10/11/2013 02:07 PM, Михаил А wrote: > > Maybe I have to explicitly specify the windows server which will address > my IPA server to authenticate windows user on ipa-client? For example there > is the IPA server p0129ipa01.ipa.sys local and Win DC > p0129ad-dc01.sys.local. How do I specify that a request for authorization > obviously gone to windows server or to any windows in the DC area? Because > I do not have network connectivity to ports in other regions. A DNS-request > is sent to all SRV-windows servers in a random order, depending can not > compute. > WIN DC in the subnet that corresponds to and authorizes the windows users > outside of DC who, in a different subnet is not responsible for > authorization (id winuser@windomain, getent passwd winuser@windomain, ssh > -l winuser@windomain ipa-client) > IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x > > > The configuration still puzzles me. > Can you share your sanitized sssd.conf? > Based on you description you have: > > Windows DCs > IPAs > Clients that are configured to use IPA and DC (at the same time? how?) > Users coming from AD authenticating on the client > > My point is that you need to either: > * Connect your SSSD to AD directly, then there is no IPA in picture > * Connect you SSSD to IPA. In this case you can authenticate users that > are native to IPA, synced to IPA from AD or you can use trusted users from > AD accessing system if IPA and AD is in trust relationship > * Connect your SSSD to AD as one domain to allow AD users to authenticate > and create another domain that would connect SSSD to IPA. This is for non > overlapping user sets between AD and IPA > > If you running some other configuration it is probably something that we > do not recommend. > > We know people try to use one configuration to force user authentication > against AD while other information including user setup comes from IPA, but > we do not recommend this setup because we can't upgrade from it cleanly. > > > > > > > > 2013/10/11 Dmitri Pal <d...@redhat.com> > >> On 10/11/2013 05:22 AM, Михаил А wrote: >> >> Good afternoon. In each region, I have a couple of controllers (windows >> and ipa). With the authorization server in the logs ipa (sssd log) I find >> that the request is not for the neighbor by location windows server, and >> randomly throughout the forest. Tell me is there a way to explicitly >> specify the IPA server on windows DC. Logs attached. >> there somewhere documentation about? >> >> >> I am not quite sure I understand you setup but I will try to give you >> some hints. >> >> If you want SSSD to access a specific IPA server or servers you can >> define primary and secondary servers explicitly in the SSSD configuration. >> See SSSD man pages. >> This can also be done via ipa-client-install command line starting IPA >> client 3.0 and SSSD 1.9 >> >> But that would sort of override the information coming from DNS. >> >> If you are looking for SSSD to support DNS sites then this functionality >> is available in SSSD in 1.11 if SSSD is joined directly to AD via AD >> provider. If you are looking for the same functionality when SSSD connects >> to IPA then it is still on the roadmap because IPA does not support sites. >> https://fedorahosted.org/freeipa/ticket/2008 >> >> >> >> next to the IPA server pk529ad-dc01.sys.local >> IPA server and knocks pk429ad-dc01.sys.local to another region >> >> >> >> _______________________________________________ >> Freeipa-users mailing >> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > >
sssd.conf
Description: Binary data
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users