I am a big fan of dns_lookup_realm = true
in /etc/krb5.conf. Of course, our AD administrators maintain good SRV records for the various AD controllers -- so there's that. also they maintain a load-balanced pool per location for those apps that are not site-aware. Worst case, I could set my kdc = that. That LB pool will always been right, as they slip in and out AD controllers. Spike On Fri, Oct 5, 2018 at 6:04 AM Conwell, Nik <n...@bu.edu> wrote: > Hi all, just curious what do you all do for Active Directory domain > controllers in the krb5.conf? Seems like "realm join" by default populates > the krb5.conf with the hostnames of all the AD KDCs discovered for the > domain. All good until we decided we are going to rename the KDCs to all > new names. Windows boxes don't care, apparently they will automatically > rediscover based on the "_srv_" record queries. But from an SSSD-AD and > krb5.conf perspective we may end up having to "realm leave" "realm join" > the linux boxes to pick up the new DCs or possibly edit the krb5.conf to > change the discovered servers to be just "_srv_" so it will be dynamically > queried. > > > > What are you all doing for SSSD-AD and the list of AD Domain Controllers? > Do you manage the krb5.conf list directly, or do you just always change the > list to be "_srv_"? > > > > Thanks. > > -nik > > > > > > *Nik Conwell *| Manager, Systems Engineering > Boston University Information Services & Technology > > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
