On Mon, 2020-05-11 at 09:19 -0500, Spike White wrote: CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
All, sssd migration has been working very well for us -- except in the DMZs and heavily-restricted firewalled network segments. For those network segments, the AD site is the same as the equivalent corporate location. So the typical DNS SRV record lookup reports a wealth of AD controllers -- most of which are blocked. (not LDAPS traffic allowed). A couple of AD DCs are in the DMZ, etc. The old commercial product appears to CLDAP ping every single AD controller it finds (via DNS SRV lookup). And when one responds, it queries that DC to get site, preferred DCs, etc. So the commercial product work, even in the face of most AD DCs blocked. adcli join and sssd appears to CLDAP ping only 4-5 AD DCs. If they don't get a response back, you get an error. If it's lucky enough to CLDAP ping an unblocked AD DC -- life is good, otherwise not so much. Old adcli, use 0.9.0
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
