https://fedorahosted.org/freeipa/ticket/2008 is there a possibility to do the same for the SRV records windows servers?
2013/10/14 Михаил А <avdush...@gmail.com> > > > ---------- Forwarded message ---------- > From: Михаил А <avdush...@gmail.com> > Date: 2013/10/14 > Subject: Re: [Freeipa-users] (no subject) > To: d...@redhat.com > > > Simplify the circuit. I have a windows server DC, IPA replica server. My > job is to authenticate the user windows to your account on the client > fedora and redhat. As I understand it when logging on IPA server running > windows account - there is a request for vigdovs DC, found on the SRV > record in DNS. Because the forest I site section in which is1 windows > server and 1 IPA server, but at the request IPA server is not always refers > to the neighbor windows dealing center I found this in the log ssssd at > debug level 5.We do not have network connectivity between sites, there is a > single point-to-site, where network connectivity is available. > Trust between the domains windows and IPA available. Log in to the central > site, where there is network connectivity runs great, for example (ssh -l > winuser@windomain ipa.client or ipa-replica-server -----OK) > > > > 2013/10/12 Dmitri Pal <d...@redhat.com> > >> On 10/11/2013 02:07 PM, Михаил А wrote: >> >> Maybe I have to explicitly specify the windows server which will address >> my IPA server to authenticate windows user on ipa-client? For example there >> is the IPA server p0129ipa01.ipa.sys local and Win DC >> p0129ad-dc01.sys.local. How do I specify that a request for authorization >> obviously gone to windows server or to any windows in the DC area? Because >> I do not have network connectivity to ports in other regions. A DNS-request >> is sent to all SRV-windows servers in a random order, depending can not >> compute. >> WIN DC in the subnet that corresponds to and authorizes the windows users >> outside of DC who, in a different subnet is not responsible for >> authorization (id winuser@windomain, getent passwd winuser@windomain, >> ssh -l winuser@windomain ipa-client) >> IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x >> >> >> The configuration still puzzles me. >> Can you share your sanitized sssd.conf? >> Based on you description you have: >> >> Windows DCs >> IPAs >> Clients that are configured to use IPA and DC (at the same time? how?) >> Users coming from AD authenticating on the client >> >> My point is that you need to either: >> * Connect your SSSD to AD directly, then there is no IPA in picture >> * Connect you SSSD to IPA. In this case you can authenticate users that >> are native to IPA, synced to IPA from AD or you can use trusted users from >> AD accessing system if IPA and AD is in trust relationship >> * Connect your SSSD to AD as one domain to allow AD users to authenticate >> and create another domain that would connect SSSD to IPA. This is for non >> overlapping user sets between AD and IPA >> >> If you running some other configuration it is probably something that we >> do not recommend. >> >> We know people try to use one configuration to force user authentication >> against AD while other information including user setup comes from IPA, but >> we do not recommend this setup because we can't upgrade from it cleanly. >> >> >> >> >> >> >> >> 2013/10/11 Dmitri Pal <d...@redhat.com> >> >>> On 10/11/2013 05:22 AM, Михаил А wrote: >>> >>> Good afternoon. In each region, I have a couple of controllers (windows >>> and ipa). With the authorization server in the logs ipa (sssd log) I find >>> that the request is not for the neighbor by location windows server, and >>> randomly throughout the forest. Tell me is there a way to explicitly >>> specify the IPA server on windows DC. Logs attached. >>> there somewhere documentation about? >>> >>> >>> I am not quite sure I understand you setup but I will try to give you >>> some hints. >>> >>> If you want SSSD to access a specific IPA server or servers you can >>> define primary and secondary servers explicitly in the SSSD configuration. >>> See SSSD man pages. >>> This can also be done via ipa-client-install command line starting IPA >>> client 3.0 and SSSD 1.9 >>> >>> But that would sort of override the information coming from DNS. >>> >>> If you are looking for SSSD to support DNS sites then this functionality >>> is available in SSSD in 1.11 if SSSD is joined directly to AD via AD >>> provider. If you are looking for the same functionality when SSSD connects >>> to IPA then it is still on the roadmap because IPA does not support sites. >>> https://fedorahosted.org/freeipa/ticket/2008 >>> >>> >>> >>> next to the IPA server pk529ad-dc01.sys.local >>> IPA server and knocks pk429ad-dc01.sys.local to another region >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing >>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> > >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users