[Freeipa-users] Question on AD to freeipa sync

Ondrej Valousek ondrejv at s3group.cz
Wed Oct 5 08:02:35 UTC 2011 

Submitted RFEs #743503,#743505,#743505 and #743509 into RedHat bugzilla (I have no login to fedorahosted.org so I could not submit to upstream).
Take them as a wish-list only and feel free to close them if they do not fit into the IPA roadmap.

Thanks!
Ondrej

On 10/04/2011 04:47 PM, Stephen Gallagher wrote:
> These are all great ideas, Ondrej. Would you mind opening RFE bugs for
> them? You can file them upstream at https://fedorahosted.org/sssd or in
> Red Hat Bugzilla https://bugzilla.redhat.com in the sssd component.
>
> On Tue, 2011-10-04 at 16:29 +0200, Ondrej Valousek wrote:
>>> Can you provide more information here? We DO have support for automatic
>>> detection based on DNS SRV records. Does a "DC locator" use some other
>>> mechanism?
>>>
>> Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin.
>> I have machine in Prague and I want it to join CONTOSO.COM. Now if I
>> used:
>>
>> dns_discovery_domain = contoso.com
>>
>> sssd would try to connect to any DC in the domain - even the one in
>> Dublin, completely ignoring sites.
>> I have to use:
>>
>> dns_discovery_domain = Prague._sites.contoso.com
>>
>> To force it to use Prague DCs only.
>> My understanding is, that the "DC locator" tries to communicate with
>> DC's first to determine local site and remote DC's are only used if no
>> valid/working DC can be found in the local site (Prague in this case).
>>
>>> I'm not sure what you mean by this? Do you mean you don't want to have
>>> to specify ldap_schema = rfc2307bis and have it instead auto-detected?
>>>
>>> That's trickier than it sounds.
>>>
>> well this is a really small one. I would say it would be perfectly
>> sufficient to introduce something like:
>>
>> ldap_schema=msrfc2307bis
>>
>> which would be equivalent to:
>>
>> ldap_user_object_class = user
>> ldap_group_object_class = group
>> ldap_user_home_directory = unixHomeDirectory
>> ldap_schema = rfc2307bis
>>
>> also, the ldap bind mechanism negotiation could be potentially
>> improved, now I have to explicitly specify
>>
>> ldap_sasl_mech = GSSAPI
>>
>> otherwise sssd tries to use SASL/EXTERNAL which fails when
>> communicating to AD controllers.
>>
>>> What features of the krb5 library do you mean? SSSD provides a locator
>>> plugin that manages several features of the krb5 library, including
>>> kinit and kpasswd.
>>>
>> The thing is that not all Linux apps are using sssd so we have to
>> remember to configure /etc/krb5.conf. too.
>> When using Centrify, all I need to do is:
>>
>> # adjoin contoso.com
>>
>> ..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM
>> modules, eeeverything. If I wanted to use sssd for the same job I have
>> to:
>>
>> 1. configure (manually) /etc/samba/smb.conf
>> 2. net ads join (- just to get machine creds)
>> 3. configure (manually) sssd.conf
>> 4. configure (manually) PAM modules
>> 5. configure (manually) krb5.conf
>>
>> I understand that much of this is probably not sssd duty, but it would
>> be helpful to have some script around which would do the same job.
>>
>>
>> ______________________________________________________________________
>> The information contained in this e-mail and in any attachments is
>> confidential and is designated solely for the attention of the
>> intended recipient(s). If you are not an intended recipient, you must
>> not use, disclose, copy, distribute or retain this e-mail or any part
>> thereof. If you have received this e-mail in error, please notify the
>> sender by return e-mail and delete all copies of this e-mail from your
>> computer system(s). Please direct any additional queries to:
>> communications at s3group.com. Thank You. Silicon and Software Systems
>> Limited (S3 Group). Registered in Ireland no. 378073. Registered
>> Office: South County Business Park, Leopardstown, Dublin 18
>>
>> ______________________________________________________________________
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications at s3group.com.
Thank You.
Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111005/bb2c8bc7/attachment.htm>

More information about the Freeipa-users mailing list