<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 10/14/2013 09:52 AM, Михаил А wrote:
<blockquote
cite="mid:CALtTMp+Gqvh+1eDcWCVG=7dsUy=0GeAJ5-v5hvnK6uQOjahWPw@mail.gmail.com"
type="cite">
<div dir="ltr"><a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/2008">https://fedorahosted.org/freeipa/ticket/2008</a><br>
<div>is there a possibility to do the same for the SRV records
windows servers?<br>
</div>
</div>
</blockquote>
<br>
Yes, if you use latest SSSD against AD without IPA.<br>
If you want to use IPA with AD then SSSD is connected to IPA and IPA
needs to provide this functionality.<br>
It is not implemented yet and not a high priority so far. <br>
Help and patches are definitely welcome.<br>
<br>
<br>
<blockquote
cite="mid:CALtTMp+Gqvh+1eDcWCVG=7dsUy=0GeAJ5-v5hvnK6uQOjahWPw@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">2013/10/14 Михаил А <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:avdusheff@gmail.com"
target="_blank">avdusheff@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">
<div dir="ltr"><br>
<br>
<div class="gmail_quote">---------- Forwarded message
----------<br>
From: <b class="gmail_sendername">Михаил А</b> <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:avdusheff@gmail.com"
target="_blank">avdusheff@gmail.com</a>></span><br>
Date: 2013/10/14<br>
Subject: Re: [Freeipa-users] (no subject)<br>
To: <a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a><br>
<br>
<br>
<div dir="ltr">Simplify the circuit. I have a
windows server DC, IPA replica server. My job is
to authenticate the user windows to your account
on the client fedora and redhat. As I understand
it when logging on IPA server running windows
account - there is a request for vigdovs DC, found
on the SRV record in DNS. Because the forest I
site section in which is1 windows server and 1 IPA
server, but at the request IPA server is not
always refers to the neighbor windows dealing
center I found this in the log ssssd at debug
level 5.We do not have network connectivity
between sites, there is a single point-to-site,
where network connectivity is available.<br>
<div>Trust between the domains windows and IPA
available. Log in to the central site, where
there is network connectivity runs great, for
example (ssh -l winuser@windomain ipa.client or
ipa-replica-server -----OK)<br>
</div>
<div><br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/10/12 Dmitri Pal
<span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span><br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 10/11/2013 02:07 PM, Михаил А
wrote:
<blockquote type="cite">
<div dir="ltr">Maybe I have to
explicitly specify the windows
server which will address my IPA
server to authenticate windows
user on ipa-client? For example
there is the IPA server
p0129ipa01.ipa.sys local and Win
DC p0129ad-dc01.sys.local. How do
I specify that a request for
authorization obviously gone to
windows server or to any windows
in the DC area? Because I do not
have network connectivity to ports
in other regions. A DNS-request is
sent to all SRV-windows servers in
a random order, depending can not
compute.<br>
<div>WIN DC in the subnet that
corresponds to and authorizes
the windows users outside of DC
who, in a different subnet is
not responsible for
authorization (id
winuser@windomain, getent passwd
winuser@windomain, ssh -l
winuser@windomain ipa-client)</div>
<div>IPA-server fedora 19,
ipa-client fedora19 and RedHat
6.x</div>
</div>
</blockquote>
<br>
</div>
The configuration still puzzles me.<br>
Can you share your sanitized sssd.conf?<br>
Based on you description you have:<br>
<br>
Windows DCs<br>
IPAs<br>
Clients that are configured to use IPA
and DC (at the same time? how?)<br>
Users coming from AD authenticating on
the client<br>
<br>
My point is that you need to either:<br>
* Connect your SSSD to AD directly, then
there is no IPA in picture<br>
* Connect you SSSD to IPA. In this case
you can authenticate users that are
native to IPA, synced to IPA from AD or
you can use trusted users from AD
accessing system if IPA and AD is in
trust relationship<br>
* Connect your SSSD to AD as one domain
to allow AD users to authenticate and
create another domain that would connect
SSSD to IPA. This is for non overlapping
user sets between AD and IPA<br>
<br>
If you running some other configuration
it is probably something that we do not
recommend.<br>
<br>
We know people try to use one
configuration to force user
authentication against AD while other
information including user setup comes
from IPA, but we do not recommend this
setup because we can't upgrade from it
cleanly.
<div>
<div><br>
<br>
<br>
<br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/10/11
Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span><br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div> On 10/11/2013 05:22
AM, Михаил А wrote:
<blockquote type="cite">
<div dir="ltr">Good
afternoon. In each
region, I have a
couple of
controllers (windows
and ipa). With the
authorization server
in the logs ipa
(sssd log) I find
that the request is
not for the neighbor
by location windows
server, and randomly
throughout the
forest. Tell me is
there a way to
explicitly specify
the IPA server on
windows DC. Logs
attached.<br>
<div>there somewhere
documentation
about?<br>
</div>
</div>
</blockquote>
<br>
</div>
I am not quite sure I
understand you setup but I
will try to give you some
hints.<br>
<br>
If you want SSSD to access
a specific IPA server or
servers you can define
primary and secondary
servers explicitly in the
SSSD configuration. See
SSSD man pages.<br>
This can also be done via
ipa-client-install command
line starting IPA client
3.0 and SSSD 1.9<br>
<br>
But that would sort of
override the information
coming from DNS.<br>
<br>
If you are looking for
SSSD to support DNS sites
then this functionality is
available in SSSD in 1.11
if SSSD is joined directly
to AD via AD provider. If
you are looking for the
same functionality when
SSSD connects to IPA then
it is still on the roadmap
because IPA does not
support sites.<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/2008" target="_blank">https://fedorahosted.org/freeipa/ticket/2008</a><br>
<br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
<div>
<div>next to the
IPA server
pk529ad-dc01.sys.local</div>
<div>IPA server
and knocks
pk429ad-dc01.sys.local
to another
region</div>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span><font
color="#888888"> </font></span></blockquote>
<span><font
color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>