[Freeipa-users] (no subject)
Михаил А
avdusheff at gmail.com
Mon Oct 14 13:52:22 UTC 2013
https://fedorahosted.org/freeipa/ticket/2008
is there a possibility to do the same for the SRV records windows servers?
2013/10/14 Михаил А <avdusheff at gmail.com>
>
>
> ---------- Forwarded message ----------
> From: Михаил А <avdusheff at gmail.com>
> Date: 2013/10/14
> Subject: Re: [Freeipa-users] (no subject)
> To: dpal at redhat.com
>
>
> Simplify the circuit. I have a windows server DC, IPA replica server. My
> job is to authenticate the user windows to your account on the client
> fedora and redhat. As I understand it when logging on IPA server running
> windows account - there is a request for vigdovs DC, found on the SRV
> record in DNS. Because the forest I site section in which is1 windows
> server and 1 IPA server, but at the request IPA server is not always refers
> to the neighbor windows dealing center I found this in the log ssssd at
> debug level 5.We do not have network connectivity between sites, there is a
> single point-to-site, where network connectivity is available.
> Trust between the domains windows and IPA available. Log in to the central
> site, where there is network connectivity runs great, for example (ssh -l
> winuser at windomain ipa.client or ipa-replica-server -----OK)
>
>
>
> 2013/10/12 Dmitri Pal <dpal at redhat.com>
>
>> On 10/11/2013 02:07 PM, Михаил А wrote:
>>
>> Maybe I have to explicitly specify the windows server which will address
>> my IPA server to authenticate windows user on ipa-client? For example there
>> is the IPA server p0129ipa01.ipa.sys local and Win DC
>> p0129ad-dc01.sys.local. How do I specify that a request for authorization
>> obviously gone to windows server or to any windows in the DC area? Because
>> I do not have network connectivity to ports in other regions. A DNS-request
>> is sent to all SRV-windows servers in a random order, depending can not
>> compute.
>> WIN DC in the subnet that corresponds to and authorizes the windows users
>> outside of DC who, in a different subnet is not responsible for
>> authorization (id winuser at windomain, getent passwd winuser at windomain,
>> ssh -l winuser at windomain ipa-client)
>> IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x
>>
>>
>> The configuration still puzzles me.
>> Can you share your sanitized sssd.conf?
>> Based on you description you have:
>>
>> Windows DCs
>> IPAs
>> Clients that are configured to use IPA and DC (at the same time? how?)
>> Users coming from AD authenticating on the client
>>
>> My point is that you need to either:
>> * Connect your SSSD to AD directly, then there is no IPA in picture
>> * Connect you SSSD to IPA. In this case you can authenticate users that
>> are native to IPA, synced to IPA from AD or you can use trusted users from
>> AD accessing system if IPA and AD is in trust relationship
>> * Connect your SSSD to AD as one domain to allow AD users to authenticate
>> and create another domain that would connect SSSD to IPA. This is for non
>> overlapping user sets between AD and IPA
>>
>> If you running some other configuration it is probably something that we
>> do not recommend.
>>
>> We know people try to use one configuration to force user authentication
>> against AD while other information including user setup comes from IPA, but
>> we do not recommend this setup because we can't upgrade from it cleanly.
>>
>>
>>
>>
>>
>>
>>
>> 2013/10/11 Dmitri Pal <dpal at redhat.com>
>>
>>> On 10/11/2013 05:22 AM, Михаил А wrote:
>>>
>>> Good afternoon. In each region, I have a couple of controllers (windows
>>> and ipa). With the authorization server in the logs ipa (sssd log) I find
>>> that the request is not for the neighbor by location windows server, and
>>> randomly throughout the forest. Tell me is there a way to explicitly
>>> specify the IPA server on windows DC. Logs attached.
>>> there somewhere documentation about?
>>>
>>>
>>> I am not quite sure I understand you setup but I will try to give you
>>> some hints.
>>>
>>> If you want SSSD to access a specific IPA server or servers you can
>>> define primary and secondary servers explicitly in the SSSD configuration.
>>> See SSSD man pages.
>>> This can also be done via ipa-client-install command line starting IPA
>>> client 3.0 and SSSD 1.9
>>>
>>> But that would sort of override the information coming from DNS.
>>>
>>> If you are looking for SSSD to support DNS sites then this functionality
>>> is available in SSSD in 1.11 if SSSD is joined directly to AD via AD
>>> provider. If you are looking for the same functionality when SSSD connects
>>> to IPA then it is still on the roadmap because IPA does not support sites.
>>> https://fedorahosted.org/freeipa/ticket/2008
>>>
>>>
>>>
>>> next to the IPA server pk529ad-dc01.sys.local
>>> IPA server and knocks pk429ad-dc01.sys.local to another region
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131014/d5408dd9/attachment.htm>
More information about the Freeipa-users
mailing list