[Freeipa-users] Active Directory Sites and IPA-AD-Trust

Sumit Bose sbose at redhat.com
Wed Dec 16 11:19:48 UTC 2015 

On Wed, Dec 16, 2015 at 10:33:17AM +0000, wouter.hummelink at kpn.com wrote:
> Hi All,
> 
> While TCPdumping logins on an IPA client using an AD account I found out that SSSD doesn't take AD Sites into account. I see a DNS lookup for _kerberos._udp.<ad.domain> and _kerberos._tcp.<ad-domain> and then a Kerberos attempt at one or more of the AD servers (both the local and non-local ones).
> 
> While this isn't a huge problem it does delay logins where communication with the AD kdc is required.
> 
> Is there a way to get sssd to use the proper site for trusted AD domains?

I'm afraid currently there is no way for IPA clients.

If the SSSD client is directly joined to a AD domain, SSSD tries to
determine the site the client belongs to and prefers DC form this site
for all communications.

An IPA client gets all information from the IPA server (there is a
similar concept to sites in IPA but this is still wip). Only for
password authentication SSSD will directly connect to an AD DC.
Currently this happens completely inside libkrb5 which by default is
configured to do DNS SRV lookups to find a suitable DC (dns_lookup_kdc =
true in krb5.conf). Since libkrb5 is not aware fo sites it will just do
the plain _kerberos._udp.<ad.domain> you see in the dump.

The only way to get around this would be to add a configuration section
for the ad.domain in krb5.conf and list suitable DC here. But this of
course has a number of drawbacks.

HTH

bye,
Sumit

> 
> 
> Met vriendelijke groet,
> 
> Wouter Hummelink
> Cloud Engineer
> [Description: Beschrijving: Beschrijving: cid:image003.gif at 01CC7CE9.FCFEC140]
> KPN IT Solutions
> Platform Organisation Cloud Services
> Mail: wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>
> Telefoon: +31 (0)6 1288 2447
> [cid:image002.png at 01D0DA65.706AE4B0]
> P Save Paper - Do you really need to print this e-mail?
> *********************************************************************************************************************************************************
> KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, Handelsregister 52959597 Amsterdam
> The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material.
> Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons
> and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately
> and delete the material. Thank you.
> *********************************************************************************************************************************************************
> 




> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list