> > My wish is to use sssd on a Linux system joined to a FreeIPA domain, > but > > being able to do this still *not* enabling the dns resolution for the > rest > > of that Linux system -> not populating the /etc/resolv.conf file. > > > > So you would like to use DNS resolution only for sssd and let the rest > of the system rely only on data in /etc/hosts? That seems like a recipe > for trouble, keep in mind that libraries that SSSD uses might still want > to perform name resolution themselves. For instance, Kerberos might need > to canonicalize hostname in some cases. > > What is the problem you are trying to solve with this separation? >
You caught the point. In the past we used to have all Linux production systems use the dns server. In our business dns servers are managed by a different office. During normal operations we faced occasional problems that prevented us to guarantee our service level agreement: - the dns server having a bad configuration following a configuration upgrade: his forwarding policies went messes and we had a lot of delay in serving requests - the dns server solves every system in the network: when network isolation is not achievable, we limited the "visibility" of system by not enable them to be found in searching by names. This helped a lot also when some colleagues make a mistake by forgetting to change the configuration of web applications from test to production (db connection strings, and so on...). We decided to not use the dns server and put in the /etc/hosts file only the hosts we were aware that particular system had need to communicate to. > > If I correctly understand, you are telling me that I could achieve > this > > result by withdrawing the "dns" keyword from the /etc/nsswitch.conf > file. > > Is this right? > > Not quite. Even though c-ares is a standalone resolver, it still reads > /etc/nsswitch.conf and resolves in same order as specified there. > Ok, I understand. Thanks again Marco
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
