[Freeipa-users] Filter/Block/Limit Interaction with Multiple Domain Controllers

Alexander Bokovoy abokovoy at redhat.com
Mon Mar 9 17:04:00 UTC 2015 

On Mon, 09 Mar 2015, Traiano Welcome wrote:
>Hi List
>
>
>I have AD trusts configured and working between an IPA server and a
>"master" primary domain controller (dc-1) in a forest in one data
>center. This allows me to connect with SSH to linux servers in the
>same data-center, authenticating with my AD credentials.
>
>I'm trying to test a scenario where I have an IPA server set up in
>another data center, and trust is established with an AD domain
>controller (dc-2) in that data-center.
>This domain controller takes dc-1 as it's authoritative source.
>Ideally, the IPA server will interact with the domain controller
>nearest to it (i.e dc-2), however, from tcpdump, I note the following:
>
>- IPA server communicates with dc-2 first
>- dc-2 returns a list of domain controllers in all the datacenters,
>including dc-1
>the IPA server then begins querying ldap and kerberos ports on dc-1,
>the domain controller furthest from it.
>- Authentication on clients fail
>
>My question is:  Is it possible to get IPA  to query and interact only
>with the domain controller it initially established trust with?
Let's first separate multiple issues.

1. Terminology
   Cross-forest trust is established between domain controllers in forest root
   domains. In case of IPA we need that access only once, when trust is
   created. You don't need to establish trust again with dc-2 once you
   have established it with dc-1.

   When trust is established, AD DCs will look up IPA masters via SRV
   records in DNS (_ldap._tcp.<ipa-domain>). We don't provide
   site-specific SRV records as IPA does not handle sites in this area
   yet.

   However, this is not your problem.

2. User and group lookups are done by SSSD against global catalog
   service (_gc._tcp.<ad-domain>) and AD DS (_ldap._tcp.<ad-domain>),
   along with Kerberos KDC (AD DCs).

   These DCs are found via SRV records in DNS and SSSD since 1.9.5
   uses site-specific SRV records for AD domain controllers lookups in
   case of IPA-AD trust.

You are interested in (2) being site-aware. However, you didn't say what
is your distribution and software versions so it is quite hard to give
any recommendation.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list