On Wed, Dec 16, 2015 at 10:33:17AM +0000, wouter.hummel...@kpn.com wrote:
> Hi All,
> 
> While TCPdumping logins on an IPA client using an AD account I found out that 
> SSSD doesn't take AD Sites into account. I see a DNS lookup for 
> _kerberos._udp.<ad.domain> and _kerberos._tcp.<ad-domain> and then a Kerberos 
> attempt at one or more of the AD servers (both the local and non-local ones).
> 
> While this isn't a huge problem it does delay logins where communication with 
> the AD kdc is required.
> 
> Is there a way to get sssd to use the proper site for trusted AD domains?

I'm afraid currently there is no way for IPA clients.

If the SSSD client is directly joined to a AD domain, SSSD tries to
determine the site the client belongs to and prefers DC form this site
for all communications.

An IPA client gets all information from the IPA server (there is a
similar concept to sites in IPA but this is still wip). Only for
password authentication SSSD will directly connect to an AD DC.
Currently this happens completely inside libkrb5 which by default is
configured to do DNS SRV lookups to find a suitable DC (dns_lookup_kdc =
true in krb5.conf). Since libkrb5 is not aware fo sites it will just do
the plain _kerberos._udp.<ad.domain> you see in the dump.

The only way to get around this would be to add a configuration section
for the ad.domain in krb5.conf and list suitable DC here. But this of
course has a number of drawbacks.

HTH

bye,
Sumit

> 
> 
> Met vriendelijke groet,
> 
> Wouter Hummelink
> Cloud Engineer
> [Description: Beschrijving: Beschrijving: cid:image003.gif@01CC7CE9.FCFEC140]
> KPN IT Solutions
> Platform Organisation Cloud Services
> Mail: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>
> Telefoon: +31 (0)6 1288 2447
> [cid:image002.png@01D0DA65.706AE4B0]
> P Save Paper - Do you really need to print this e-mail?
> *********************************************************************************************************************************************************
> KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, 
> Handelsregister 52959597 Amsterdam
> The information transmitted is intended only for use by the addressee and may 
> contain confidential and/or privileged material.
> Any review, re-transmission, dissemination or other use of it, or the taking 
> of any action in reliance upon this information by persons
> and/or entities other than the intended recipient is prohibited. If you 
> received this in error, please inform the sender and/or addressee immediately
> and delete the material. Thank you.
> *********************************************************************************************************************************************************
> 




> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to