[Freeipa-users] Question on AD to freeipa sync

Tue Oct 4 14:47:40 UTC 2011

These are all great ideas, Ondrej. Would you mind opening RFE bugs for
them? You can file them upstream at https://fedorahosted.org/sssd or in
Red Hat Bugzilla https://bugzilla.redhat.com in the sssd component.

On Tue, 2011-10-04 at 16:29 +0200, Ondrej Valousek wrote:
> 
> > Can you provide more information here? We DO have support for automatic
> > detection based on DNS SRV records. Does a "DC locator" use some other
> > mechanism?
> > 
> Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin.
> I have machine in Prague and I want it to join CONTOSO.COM. Now if I
> used:
> 
> dns_discovery_domain = contoso.com
> 
> sssd would try to connect to any DC in the domain - even the one in
> Dublin, completely ignoring sites.
> I have to use:
> 
> dns_discovery_domain = Prague._sites.contoso.com
> 
> To force it to use Prague DCs only.
> My understanding is, that the "DC locator" tries to communicate with
> DC's first to determine local site and remote DC's are only used if no
> valid/working DC can be found in the local site (Prague in this case).
> 
> > I'm not sure what you mean by this? Do you mean you don't want to have
> > to specify ldap_schema = rfc2307bis and have it instead auto-detected?
> > 
> > That's trickier than it sounds.
> > 
> well this is a really small one. I would say it would be perfectly
> sufficient to introduce something like:
> 
> ldap_schema=msrfc2307bis 
> 
> which would be equivalent to:
> 
> ldap_user_object_class = user
> ldap_group_object_class = group
> ldap_user_home_directory = unixHomeDirectory
> ldap_schema = rfc2307bis
> 
> also, the ldap bind mechanism negotiation could be potentially
> improved, now I have to explicitly specify
> 
> ldap_sasl_mech = GSSAPI
> 
> otherwise sssd tries to use SASL/EXTERNAL which fails when
> communicating to AD controllers.
> 
> > What features of the krb5 library do you mean? SSSD provides a locator
> > plugin that manages several features of the krb5 library, including
> > kinit and kpasswd.
> > 
> The thing is that not all Linux apps are using sssd so we have to
> remember to configure /etc/krb5.conf. too.
> When using Centrify, all I need to do is:
> 
> # adjoin contoso.com
> 
> ..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM
> modules, eeeverything. If I wanted to use sssd for the same job I have
> to:
> 
> 1. configure (manually) /etc/samba/smb.conf
> 2. net ads join (- just to get machine creds)
> 3. configure (manually) sssd.conf
> 4. configure (manually) PAM modules
> 5. configure (manually) krb5.conf
> 
> I understand that much of this is probably not sssd duty, but it would
> be helpful to have some script around which would do the same job.
> 
> 
> ______________________________________________________________________
> The information contained in this e-mail and in any attachments is
> confidential and is designated solely for the attention of the
> intended recipient(s). If you are not an intended recipient, you must
> not use, disclose, copy, distribute or retain this e-mail or any part
> thereof. If you have received this e-mail in error, please notify the
> sender by return e-mail and delete all copies of this e-mail from your
> computer system(s). Please direct any additional queries to:
> communications at s3group.com. Thank You. Silicon and Software Systems
> Limited (S3 Group). Registered in Ireland no. 378073. Registered
> Office: South County Business Park, Leopardstown, Dublin 18 
> 
> ______________________________________________________________________
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111004/b0eaa6ff/attachment.sig>