... perhaps configure an AD site specifically for the DMZ contsining the reachable DCs and reference it in the SSSD config for those hosts ?
-- lawrence On Mon, May 11, 2020, 10:20 AM Spike White <[email protected]> wrote: > All, > > sssd migration has been working very well for us -- except in the DMZs and > heavily-restricted firewalled network segments. > > For those network segments, the AD site is the same as the equivalent > corporate location. So the typical DNS SRV record lookup reports a wealth > of AD controllers -- most of which are blocked. (not LDAPS traffic > allowed). > > A couple of AD DCs are in the DMZ, etc. > > The old commercial product appears to CLDAP ping every single AD > controller it finds (via DNS SRV lookup). And when one responds, it > queries that DC to get site, preferred DCs, etc. So the commercial product > work, even in the face of most AD DCs blocked. > > adcli join and sssd appears to CLDAP ping only 4-5 AD DCs. If they don't > get a response back, you get an error. If it's lucky enough to CLDAP ping > an unblocked AD DC -- life is good, otherwise not so much. > > Is there an option in adcli join and the sssd startup to CLDAP ping all > DCs? Like the commercial product's behaviour? > > Obviously, I could hard-code the KDCs in /etc/krb5.conf. But there's > multiple downsides to that: > 1. AD team switches out DCs w/o notice. > 2. Hard to programmatically script out for new builds, as the list of > DCs would vary according to each firewalled-off segment. > > Spike > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
