---------- Forwarded message ----------
From: Михаил А <avdush...@gmail.com>
Date: 2013/10/14
Subject: Re: [Freeipa-users] (no subject)
To: d...@redhat.com

Simplify the circuit. I have a windows server DC, IPA replica server. My
job is to authenticate the user windows to your account on the client
fedora and redhat. As I understand it when logging on IPA server running
windows account - there is a request for vigdovs DC, found on the SRV
record in DNS. Because the forest I site section in which is1 windows
server and 1 IPA server, but at the request IPA server is not always refers
to the neighbor windows dealing center I found this in the log ssssd at
debug level 5.We do not have network connectivity between sites, there is a
single point-to-site, where network connectivity is available.
Trust between the domains windows and IPA available. Log in to the central
site, where there is network connectivity runs great, for example (ssh -l
winuser@windomain ipa.client or ipa-replica-server -----OK)

2013/10/12 Dmitri Pal <d...@redhat.com>

>  On 10/11/2013 02:07 PM, Михаил А wrote:
> Maybe I have to explicitly specify the windows server which will address
> my IPA server to authenticate windows user on ipa-client? For example there
> is the IPA server p0129ipa01.ipa.sys local and Win DC
> p0129ad-dc01.sys.local. How do I specify that a request for authorization
> obviously gone to windows server or to any windows in the DC area? Because
> I do not have network connectivity to ports in other regions. A DNS-request
> is sent to all SRV-windows servers in a random order, depending can not
> compute.
> WIN DC in the subnet that corresponds to and authorizes the windows users
> outside of DC who, in a different subnet is not responsible for
> authorization (id winuser@windomain, getent passwd winuser@windomain, ssh
> -l winuser@windomain ipa-client)
> IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x
> The configuration still puzzles me.
> Can you share your sanitized sssd.conf?
> Based on you description you have:
> Windows DCs
> IPAs
> Clients that are configured to use IPA and DC (at the same time? how?)
> Users coming from AD authenticating on the client
> My point is that you need to either:
> * Connect your SSSD to AD directly, then there is no IPA in picture
> * Connect you SSSD to IPA. In this case you can authenticate users that
> are native to IPA, synced to IPA from AD or you can use trusted users from
> AD accessing system if IPA and AD is in trust relationship
> * Connect your SSSD to AD as one domain to allow AD users to authenticate
> and create another domain that would connect SSSD to IPA. This is for non
> overlapping user sets between AD and IPA
> If you running some other configuration it is probably something that we
> do not recommend.
> We know people try to use one configuration to force user authentication
> against AD while other information including user setup comes from IPA, but
> we do not recommend this setup because we can't upgrade from it cleanly.
> 2013/10/11 Dmitri Pal <d...@redhat.com>
>>  On 10/11/2013 05:22 AM, Михаил А wrote:
>> Good afternoon. In each region, I have a couple of controllers (windows
>> and ipa). With the authorization server in the logs ipa (sssd log) I find
>> that the request is not for the neighbor by location windows server, and
>> randomly throughout the forest. Tell me is there a way to explicitly
>> specify the IPA server on windows DC. Logs attached.
>> there somewhere documentation about?
>>  I am not quite sure I understand you setup but I will try to give you
>> some hints.
>> If you want SSSD to access a specific IPA server or servers you can
>> define primary and secondary servers explicitly in the SSSD configuration.
>> See SSSD man pages.
>> This can also be done via ipa-client-install command line starting IPA
>> client 3.0 and SSSD 1.9
>> But that would sort of override the information coming from DNS.
>> If you are looking for SSSD to support DNS sites then this functionality
>> is available in SSSD in 1.11 if SSSD is joined directly to AD via AD
>> provider. If you are looking for the same functionality when SSSD connects
>> to IPA then it is still on the roadmap because IPA does not support sites.
>> https://fedorahosted.org/freeipa/ticket/2008
>>  next to the IPA server pk529ad-dc01.sys.local
>> IPA server and knocks pk429ad-dc01.sys.local to another region
>>  _______________________________________________
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>> --
>> Thank you,
>> Dmitri Pal
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>> -------------------------------
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> --
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/

Attachment: sssd.conf
Description: Binary data

Freeipa-users mailing list

Reply via email to