All, sssd migration has been working very well for us -- except in the DMZs and heavily-restricted firewalled network segments.
For those network segments, the AD site is the same as the equivalent corporate location. So the typical DNS SRV record lookup reports a wealth of AD controllers -- most of which are blocked. (not LDAPS traffic allowed). A couple of AD DCs are in the DMZ, etc. The old commercial product appears to CLDAP ping every single AD controller it finds (via DNS SRV lookup). And when one responds, it queries that DC to get site, preferred DCs, etc. So the commercial product work, even in the face of most AD DCs blocked. adcli join and sssd appears to CLDAP ping only 4-5 AD DCs. If they don't get a response back, you get an error. If it's lucky enough to CLDAP ping an unblocked AD DC -- life is good, otherwise not so much. Is there an option in adcli join and the sssd startup to CLDAP ping all DCs? Like the commercial product's behaviour? Obviously, I could hard-code the KDCs in /etc/krb5.conf. But there's multiple downsides to that: 1. AD team switches out DCs w/o notice. 2. Hard to programmatically script out for new builds, as the list of DCs would vary according to each firewalled-off segment. Spike
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
