Thanks Spike. I hadn't thought about the load-balanced pool for apps that are not site-aware. That's a good idea. Take care. -nik
From: Spike White <[email protected]> Reply-To: End-user discussions about the System Security Services Daemon <[email protected]> Date: Monday, October 8, 2018 at 10:13 AM To: End-user discussions about the System Security Services Daemon <[email protected]> Subject: [SSSD-users] Re: Active Domain Controller server lists (part of SSSD-AD)? I am a big fan of dns_lookup_realm = true in /etc/krb5.conf. Of course, our AD administrators maintain good SRV records for the various AD controllers -- so there's that. also they maintain a load-balanced pool per location for those apps that are not site-aware. Worst case, I could set my kdc = that. That LB pool will always been right, as they slip in and out AD controllers. Spike On Fri, Oct 5, 2018 at 6:04 AM Conwell, Nik <[email protected]<mailto:[email protected]>> wrote: Hi all, just curious what do you all do for Active Directory domain controllers in the krb5.conf? Seems like "realm join" by default populates the krb5.conf with the hostnames of all the AD KDCs discovered for the domain. All good until we decided we are going to rename the KDCs to all new names. Windows boxes don't care, apparently they will automatically rediscover based on the "_srv_" record queries. But from an SSSD-AD and krb5.conf perspective we may end up having to "realm leave" "realm join" the linux boxes to pick up the new DCs or possibly edit the krb5.conf to change the discovered servers to be just "_srv_" so it will be dynamically queried. What are you all doing for SSSD-AD and the list of AD Domain Controllers? Do you manage the krb5.conf list directly, or do you just always change the list to be "_srv_"? Thanks. -nik Nik Conwell | Manager, Systems Engineering Boston University Information Services & Technology _______________________________________________ sssd-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
