<div dir="ltr"><a href="https://fedorahosted.org/freeipa/ticket/2008">https://fedorahosted.org/freeipa/ticket/2008</a><br><div>is there a possibility to do the same for the SRV records windows servers?<br></div></div><div class="gmail_extra"> <br><br><div class="gmail_quote">2013/10/14 Михаил А <span dir="ltr"><<a href="mailto:avdusheff@gmail.com" target="_blank">avdusheff@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="HOEnZb"><div class="h5"><div dir="ltr"><br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Михаил А</b> <span dir="ltr"><<a href="mailto:avdusheff@gmail.com" target="_blank">avdusheff@gmail.com</a>></span><br> Date: 2013/10/14<br>Subject: Re: [Freeipa-users] (no subject)<br>To: <a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a><br><br><br><div dir="ltr">Simplify the circuit. I have a windows server DC, IPA replica server. My job is to authenticate the user windows to your account on the client fedora and redhat. As I understand it when logging on IPA server running windows account - there is a request for vigdovs DC, found on the SRV record in DNS. Because the forest I site section in which is1 windows server and 1 IPA server, but at the request IPA server is not always refers to the neighbor windows dealing center I found this in the log ssssd at debug level 5.We do not have network connectivity between sites, there is a single point-to-site, where network connectivity is available.<br> <div>Trust between the domains windows and IPA available. Log in to the central site, where there is network connectivity runs great, for example (ssh -l winuser@windomain ipa.client or ipa-replica-server -----OK)<br></div> <div><br></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/10/12 Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span><br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div> On 10/11/2013 02:07 PM, Михаил А wrote: <blockquote type="cite"> <div dir="ltr">Maybe I have to explicitly specify the windows server which will address my IPA server to authenticate windows user on ipa-client? For example there is the IPA server p0129ipa01.ipa.sys local and Win DC p0129ad-dc01.sys.local. How do I specify that a request for authorization obviously gone to windows server or to any windows in the DC area? Because I do not have network connectivity to ports in other regions. A DNS-request is sent to all SRV-windows servers in a random order, depending can not compute.<br> <div>WIN DC in the subnet that corresponds to and authorizes the windows users outside of DC who, in a different subnet is not responsible for authorization (id winuser@windomain, getent passwd winuser@windomain, ssh -l winuser@windomain ipa-client)</div> <div>IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x</div> </div> </blockquote> <br></div> The configuration still puzzles me.<br> Can you share your sanitized sssd.conf?<br> Based on you description you have:<br> <br> Windows DCs<br> IPAs<br> Clients that are configured to use IPA and DC (at the same time? how?)<br> Users coming from AD authenticating on the client<br> <br> My point is that you need to either:<br> * Connect your SSSD to AD directly, then there is no IPA in picture<br> * Connect you SSSD to IPA. In this case you can authenticate users that are native to IPA, synced to IPA from AD or you can use trusted users from AD accessing system if IPA and AD is in trust relationship<br> * Connect your SSSD to AD as one domain to allow AD users to authenticate and create another domain that would connect SSSD to IPA. This is for non overlapping user sets between AD and IPA<br> <br> If you running some other configuration it is probably something that we do not recommend.<br> <br> We know people try to use one configuration to force user authentication against AD while other information including user setup comes from IPA, but we do not recommend this setup because we can't upgrade from it cleanly.<div><div><br> <br> <br> <br> <br> <blockquote type="cite"> <div class="gmail_extra"><br> <br> <div class="gmail_quote">2013/10/11 Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span><br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div> On 10/11/2013 05:22 AM, Михаил А wrote: <blockquote type="cite"> <div dir="ltr">Good afternoon. In each region, I have a couple of controllers (windows and ipa). With the authorization server in the logs ipa (sssd log) I find that the request is not for the neighbor by location windows server, and randomly throughout the forest. Tell me is there a way to explicitly specify the IPA server on windows DC. Logs attached.<br> <div>there somewhere documentation about?<br> </div> </div> </blockquote> <br> </div> I am not quite sure I understand you setup but I will try to give you some hints.<br> <br> If you want SSSD to access a specific IPA server or servers you can define primary and secondary servers explicitly in the SSSD configuration. See SSSD man pages.<br> This can also be done via ipa-client-install command line starting IPA client 3.0 and SSSD 1.9<br> <br> But that would sort of override the information coming from DNS.<br> <br> If you are looking for SSSD to support DNS sites then this functionality is available in SSSD in 1.11 if SSSD is joined directly to AD via AD provider. If you are looking for the same functionality when SSSD connects to IPA then it is still on the roadmap because IPA does not support sites.<br> <a href="https://fedorahosted.org/freeipa/ticket/2008" target="_blank">https://fedorahosted.org/freeipa/ticket/2008</a><br> <br> <blockquote type="cite"> <div> <div dir="ltr"> <div><br> </div> <div><br> </div> <div> <div>next to the IPA server pk529ad-dc01.sys.local</div> <div>IPA server and knocks pk429ad-dc01.sys.local to another region</div> </div> <div><br> </div> </div> <br> <fieldset></fieldset> <br> </div> <pre>_______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> <span><font color="#888888"> </font></span></blockquote> <span><font color="#888888"> <br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </font></span></div> <br> _______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> </blockquote> </div> <br> </div> </blockquote> <br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </div></div></div> </blockquote></div><br></div> </div></div></div><br></div> </div></div></blockquote></div><br></div>