Hi. We have the following setup, CentOS machines which are running 7.3 version and we want them to use active directory users for SSH Logins.
The domain ad.example.com which we want to use, has two domain controllers with IP addresses of 10.1.2.1 and 10.1.2.2, and both have DNS Servers installed on them. We have the following in the /etc/resolv.conf search ad.example.com nameserver 10.1.2.1 nameserver 10.1.2.2 We were able to do a join by using the following command: realm join ad.example.com The computer objects are getting created in both domain controllers. The SSH Logins for the active directory users are also working without any issues. The /etc/sssd/sssd.conf file is as follows: [sssd] domains = ad.example.com config_file_version = 2 services = nss, pam [pam] offline_credentials_expiration = 1 [domain/ad.example.com] ad_domain = ad.example.com krb5_realm = ad.example.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False access_provider = ad override_homedir = /user/%u account_cache_expiration = 1 entry_cache_timeout = 180 But when we put the first domain controller down (10.1.2.1) which is the first nameserver in /etc/resolv.conf. SSSD is not trying the second domain controller (10.1.2.2) at all because when we login, we see the following message "Authenticated with cached credentials, your cached password will expire at: Fri Oct 18 19:47:42 2019." And we are able to ping 10.1.2.2 and the command nslookup ad.example.com also gives the following output Server: 10.1.2.2 Address: 10.1.2.2#53 Name: ad.example.com Address: 10.1.2.1 Name: ad.example.com Address: 10.1.2.2 And we have not added any option for ad_server or ad_backup_server in our sssd.conf file which I am assuming means that autodiscovery is turned on by default. So should the /etc/resolv.conf only have one nameserver entry, and SSSD only reads that, which means the main domain controller needs to running always. What I mainly want to know is that even if one of the Domain Controllers are down and SSSD was using it as the primary domain controller for authentication requests, can it not fallback to using some other domain controllers in the AD Domain. How can tweak my sssd.conf file for the use case that I want. If somebody can give me some advice on this, it would be really helpful, Thank you Abhishek Deb
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
