<div dir="ltr"><a href="https://fedorahosted.org/freeipa/ticket/2008">https://fedorahosted.org/freeipa/ticket/2008</a><br><div>is there a possibility to do the same for the SRV records windows servers?<br></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">2013/10/14 íÉÈÁÉÌ á <span dir="ltr"><<a href="mailto:avdusheff@gmail.com" target="_blank">avdusheff@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5"><div dir="ltr"><br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">íÉÈÁÉÌ á</b> <span dir="ltr"><<a href="mailto:avdusheff@gmail.com" target="_blank">avdusheff@gmail.com</a>></span><br>
Date: 2013/10/14<br>Subject: Re: [Freeipa-users] (no subject)<br>To: <a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a><br><br><br><div dir="ltr">Simplify the circuit. I have a windows server DC, IPA replica server. My job is to authenticate the user windows to your account on the client fedora and redhat.šAs I understand it when logging on IPA server running windows account - there is a request for vigdovs DC, found on the SRV record in DNS.šBecause the forest I site section in which is1 windows server and 1 IPA server, but at the request IPA server is not always refers to the neighbor windows dealing center I found this in the log ssssd at debug level 5.We do not have network connectivity between sites, there is a single point-to-site, where network connectivity is available.<br>
<div>Trust between the domains windows and IPA available. Log in to the central site, where there is network connectivity runs great, for example (ssh -l winuser@windomain ipa.client or ipa-replica-server -----OK)<br></div>
<div><br></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/10/12 Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div>
On 10/11/2013 02:07 PM, íÉÈÁÉÌ á wrote:
<blockquote type="cite">
<div dir="ltr">Maybe I have to explicitly specify the windows
server which will address my IPA server to authenticate windows
user on ipa-client? For example there is the IPA server
p0129ipa01.ipa.sys local and Win DC p0129ad-dc01.sys.local.šHow
do I specify that a request for authorization obviously gone to
windows server or to any windows in the DC area? Because I do
not have network connectivity to ports in other regions.šA
DNS-request is sent to all SRV-windows servers in a random
order, depending can not compute.<br>
<div>WIN DC in the subnet that corresponds to and authorizes the
windows users outside of DC who, in a different subnet is not
responsible for authorization (id winuser@windomain, getent
passwd winuser@windomain, ssh -l winuser@windomain ipa-client)</div>
<div>IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x</div>
</div>
</blockquote>
<br></div>
The configuration still puzzles me.<br>
Can you share your sanitized sssd.conf?<br>
Based on you description you have:<br>
<br>
Windows DCs<br>
IPAs<br>
Clients that are configured to use IPA and DC (at the same time?
how?)<br>
Users coming from AD authenticating on the client<br>
<br>
My point is that you need to either:<br>
* Connect your SSSD to AD directly, then there is no IPA in picture<br>
* Connect you SSSD to IPA. In this case you can authenticate users
that are native to IPA, synced to IPA from AD or you can use trusted
users from AD accessing system if IPA and AD is in trust
relationship<br>
* Connect your SSSD to AD as one domain to allow AD users to
authenticate and create another domain that would connect SSSD to
IPA. This is for non overlapping user sets between AD and IPA<br>
<br>
If you running some other configuration it is probably something
that we do not recommend.<br>
<br>
We know people try to use one configuration to force user
authentication against AD while other information including user
setup comes from IPA, but we do not recommend this setup because we
can't upgrade from it cleanly.<div><div><br>
<br>
<br>
<br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/10/11 Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 10/11/2013 05:22 AM, íÉÈÁÉÌ á wrote:
<blockquote type="cite">
<div dir="ltr">Good afternoon. In each region, I have
a couple of controllers (windows and ipa). With the
authorization server in the logs ipa (sssd log) I
find that the request is not for the neighbor by
location windows server, and randomly throughout the
forest. Tell me is there a way to explicitly specify
the IPA server on windows DC. Logs attached.<br>
<div>there somewhere documentation about?<br>
</div>
</div>
</blockquote>
<br>
</div>
I am not quite sure I understand you setup but I will try
to give you some hints.<br>
<br>
If you want SSSD to access a specific IPA server or
servers you can define primary and secondary servers
explicitly in the SSSD configuration. See SSSD man pages.<br>
This can also be done via ipa-client-install command line
starting IPA client 3.0 and SSSD 1.9<br>
<br>
But that would sort of override the information coming
from DNS.<br>
<br>
If you are looking for SSSD to support DNS sites then this
functionality is available in SSSD in 1.11 if SSSD is
joined directly to AD via AD provider. If you are looking
for the same functionality when SSSD connects to IPA then
it is still on the roadmap because IPA does not support
sites.<br>
<a href="https://fedorahosted.org/freeipa/ticket/2008" target="_blank">https://fedorahosted.org/freeipa/ticket/2008</a><br>
<br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
<div>
<div>next to the IPA server pk529ad-dc01.sys.local</div>
<div>IPA server and knocks pk429ad-dc01.sys.local
to another region</div>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div></div></div>
</blockquote></div><br></div>
</div></div></div><br></div>
</div></div></blockquote></div><br></div>