Hi Jakub,
first of all thanks for the complete response. You told me a lot of things
I didn't know.
Please, see my answer below.
On Sun, Dec 18, 2011 at 10:36 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Sun, Dec 18, 2011 at 07:09:30PM +0100, Marco Pizzoli wrote:
> > Hi,
> > I started to look at the documentation of FreeIPA and SSSD.
> > Now I'm curious to know about the relationship between sssd and the
> dns
> > servers.
> >
>
> To be honest, I'm not sure I completely understand what are you trying
> to accomplish. I'll try to answer your questions, but feel free to
> clarify or steer me in the right direction.
>
> One thing to keep in mind is that SSSD does not perform name resolution
> through glibc, mostly because glibc's interface is synchronous. SSSD uses
> the "c-ares" library. c-ares does read /etc/hosts and /etc/resolv.conf so
> there is no separate config and the name resolution gives the same results
> as it would if performed via glibc, but the name resolution process itself
> is completely standalone.
>
> > As I can see, obviously, the deployment of all windows-style services
> are
> > led by a query/response by sssd to dns servers, possibly directly to
> the
> > FreeIPA dns server.
>
> There are two ways SSSD queries DNS when acting as a FreeIPA client,
> depending on your configuration:
> 1) name resolution to get the IP address corresponding to a hostname in
> the "ipa_server" parameter
> 2) if the IPA server is not set, query DNS using the SRV records to get
> the list of servers and then perform 1)
>
> > When deploying sssd I have to configure the resolv.conf file. Is
> hereafter
> > sssd the only service which is *required* to use that file?
> >
>
> I don't understand this part, sorry. /etc/resolv.conf is read prominently
> by the glibc resolver and affects library calls such as gethostbyname
> etc.
>
> In a centralized environment, the resolv.conf would typically be set by
> DHCP.
>
> > I'm thinking to the unix/linux farm of my office in which, by taking a
> > weighted choice, they decided to not use the dns servers, relying
> only on
> > /etc/hosts files.
>
> The order of the hosts databases (aka when to use resolv.conf and when
> to use /etc/hosts) is set in the /etc/nsswitch.conf config file with the
> hosts directive. The typical order is "files dns" which translates to
> "ask /etc/hosts first and if there's no answer, go ask the servers in
> /etc/resolv.conf"
>
> c-ares reads that order so it should work in sync with the rest of the
> system. c-ares allows overriding the list of servers it talks to, but
> currently SSSD does not expose or leverage this interface.
>
> >
> > If you confirm this, do you think it would be a good idea the filing
> of a
> > feature request asking to have an option for sssd to choose the
> > resolv.conf file to point to?
> > So I could use a file called, for example,
> "/etc/resolv.conf.FreeIPA". So
> > I can be sure that no other services will use that dns's.
>
> If we want to support this feature, I would much prefer adding a new config
> option directly to sssd.conf than a new resolv.conf style file.
>
> That said, can you explain why would you like to see this feature?
My wish is to use sssd on a Linux system joined to a FreeIPA domain, but
being able to do this still *not* enabling the dns resolution for the rest
of that Linux system -> not populating the /etc/resolv.conf file.
If I correctly understand, you are telling me that I could achieve this
result by withdrawing the "dns" keyword from the /etc/nsswitch.conf file.
Is this right?
> If it's just for overriding DNS config per-client, then I would suggest to
> do this using either some DHCP client override (such as dhcp-class) or
> distribute /etc/hosts to clients.
>
I understand these suggestions but we don't use dhcp and centralizing the
/etc/hosts distribution has not been considered so far.
Thanks again, I very appreciated
Marco
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
