[Freeipa-users] (no subject)

Dmitri Pal dpal at redhat.com
Mon Oct 14 18:54:14 UTC 2013 

On 10/14/2013 09:52 AM, ?????? ? wrote:
> https://fedorahosted.org/freeipa/ticket/2008
> is there a possibility to do the same for the SRV records windows servers?

Yes, if you use latest SSSD against AD without IPA.
If you want to use IPA with AD then SSSD is connected to IPA and IPA
needs to provide this functionality.
It is not implemented yet and not a high priority so far.
Help and patches are definitely welcome.


>
>
> 2013/10/14 ?????? ? <avdusheff at gmail.com <mailto:avdusheff at gmail.com>>
>
>
>
>     ---------- Forwarded message ----------
>     From: *?????? ?* <avdusheff at gmail.com <mailto:avdusheff at gmail.com>>
>     Date: 2013/10/14
>     Subject: Re: [Freeipa-users] (no subject)
>     To: dpal at redhat.com <mailto:dpal at redhat.com>
>
>
>     Simplify the circuit. I have a windows server DC, IPA replica
>     server. My job is to authenticate the user windows to your account
>     on the client fedora and redhat. As I understand it when logging
>     on IPA server running windows account - there is a request for
>     vigdovs DC, found on the SRV record in DNS. Because the forest I
>     site section in which is1 windows server and 1 IPA server, but at
>     the request IPA server is not always refers to the neighbor
>     windows dealing center I found this in the log ssssd at debug
>     level 5.We do not have network connectivity between sites, there
>     is a single point-to-site, where network connectivity is available.
>     Trust between the domains windows and IPA available. Log in to the
>     central site, where there is network connectivity runs great, for
>     example (ssh -l winuser at windomain ipa.client or ipa-replica-server
>     -----OK)
>
>
>
>     2013/10/12 Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>>
>
>         On 10/11/2013 02:07 PM, ?????? ? wrote:
>>         Maybe I have to explicitly specify the windows server which
>>         will address my IPA server to authenticate windows user on
>>         ipa-client? For example there is the IPA server
>>         p0129ipa01.ipa.sys local and Win DC
>>         p0129ad-dc01.sys.local. How do I specify that a request for
>>         authorization obviously gone to windows server or to any
>>         windows in the DC area? Because I do not have network
>>         connectivity to ports in other regions. A DNS-request is sent
>>         to all SRV-windows servers in a random order, depending can
>>         not compute.
>>         WIN DC in the subnet that corresponds to and authorizes the
>>         windows users outside of DC who, in a different subnet is not
>>         responsible for authorization (id winuser at windomain, getent
>>         passwd winuser at windomain, ssh -l winuser at windomain ipa-client)
>>         IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x
>
>         The configuration still puzzles me.
>         Can you share your sanitized sssd.conf?
>         Based on you description you have:
>
>         Windows DCs
>         IPAs
>         Clients that are configured to use IPA and DC (at the same
>         time? how?)
>         Users coming from AD authenticating on the client
>
>         My point is that you need to either:
>         * Connect your SSSD to AD directly, then there is no IPA in
>         picture
>         * Connect you SSSD to IPA. In this case you can authenticate
>         users that are native to IPA, synced to IPA from AD or you can
>         use trusted users from AD accessing system if IPA and AD is in
>         trust relationship
>         * Connect your SSSD to AD as one domain to allow AD users to
>         authenticate and create another domain that would connect SSSD
>         to IPA. This is for non overlapping user sets between AD and IPA
>
>         If you running some other configuration it is probably
>         something that we do not recommend.
>
>         We know people try to use one configuration to force user
>         authentication against AD while other information including
>         user setup comes from IPA, but we do not recommend this setup
>         because we can't upgrade from it cleanly.
>
>
>
>
>
>>
>>
>>         2013/10/11 Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>>
>>
>>             On 10/11/2013 05:22 AM, ?????? ? wrote:
>>>             Good afternoon. In each region, I have a couple of
>>>             controllers (windows and ipa). With the authorization
>>>             server in the logs ipa (sssd log) I find that the
>>>             request is not for the neighbor by location windows
>>>             server, and randomly throughout the forest. Tell me is
>>>             there a way to explicitly specify the IPA server on
>>>             windows DC. Logs attached.
>>>             there somewhere documentation about?
>>
>>             I am not quite sure I understand you setup but I will try
>>             to give you some hints.
>>
>>             If you want SSSD to access a specific IPA server or
>>             servers you can define primary and secondary servers
>>             explicitly in the SSSD configuration. See SSSD man pages.
>>             This can also be done via ipa-client-install command line
>>             starting IPA client 3.0 and SSSD 1.9
>>
>>             But that would sort of override the information coming
>>             from DNS.
>>
>>             If you are looking for SSSD to support DNS sites then
>>             this functionality is available in SSSD in 1.11 if SSSD
>>             is joined directly to AD via AD provider. If you are
>>             looking for the same functionality when SSSD connects to
>>             IPA then it is still on the roadmap because IPA does not
>>             support sites.
>>             https://fedorahosted.org/freeipa/ticket/2008
>>
>>>
>>>
>>>             next to the IPA server pk529ad-dc01.sys.local
>>>             IPA server and knocks pk429ad-dc01.sys.local to another
>>>             region
>>>
>>>
>>>
>>>             _______________________________________________
>>>             Freeipa-users mailing list
>>>             Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>             https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>             -- 
>>             Thank you,
>>             Dmitri Pal
>>
>>             Sr. Engineering Manager for IdM portfolio
>>             Red Hat Inc.
>>
>>
>>             -------------------------------
>>             Looking to carve out IT costs?
>>             www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>>             _______________________________________________
>>             Freeipa-users mailing list
>>             Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>             https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
>         -- 
>         Thank you,
>         Dmitri Pal
>
>         Sr. Engineering Manager for IdM portfolio
>         Red Hat Inc.
>
>
>         -------------------------------
>         Looking to carve out IT costs?
>         www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131014/b00f1941/attachment.htm>

More information about the Freeipa-users mailing list