[Freeipa-users] Trying To Debug AD Trust Quirks

[Jakub Hrozek]

On Tue, Mar 28, 2017 at 11:59:27AM -0500, Jason B. Nance wrote:
> My other question is if there is a way to pin down a client to
> [temporarily] use a specific IPA server 

using the ipa_server directive in sssd.conf

> and specific AD server (even if
> it means a firewall rule that only allows the host to communicate with
> one IPA and one AD host).

the clients don't talk to ADs to resolve user information, only the
servers do. The clients only talk to AD DCs for authentication (to make
this a bit more complex, the authentication also involves parsing a
Kerberos PAC blob by the authentication helper in SSSD which also
includes the group memberships).

And unfortunately until RHEL-7.4 and SSSD 1.15 are out, then pinning the
SSSD on the IDM servers to a specific AD DC is only possible by
modifying the DNS SRV records or creating an AD site for the IDM server.