[Freeipa-users] Question on AD to freeipa sync
Dmitri Pal
dpal at redhat.com
Wed Oct 5 13:31:48 UTC 2011
On 10/05/2011 04:02 AM, Ondrej Valousek wrote:
> Submitted RFEs #743503,#743505,#743505 and #743509 into RedHat
> bugzilla (I have no login to fedorahosted.org so I could not submit to
> upstream).
> Take them as a wish-list only and feel free to close them if they do
> not fit into the IPA roadmap.
Thank you for taking time and doing this!
>
> Thanks!
> Ondrej
>
> On 10/04/2011 04:47 PM, Stephen Gallagher wrote:
>> These are all great ideas, Ondrej. Would you mind opening RFE bugs for
>> them? You can file them upstream at https://fedorahosted.org/sssd or in
>> Red Hat Bugzilla https://bugzilla.redhat.com in the sssd component.
>>
>> On Tue, 2011-10-04 at 16:29 +0200, Ondrej Valousek wrote:
>>>> Can you provide more information here? We DO have support for automatic
>>>> detection based on DNS SRV records. Does a "DC locator" use some other
>>>> mechanism?
>>>>
>>> Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin.
>>> I have machine in Prague and I want it to join CONTOSO.COM. Now if I
>>> used:
>>>
>>> dns_discovery_domain = contoso.com
>>>
>>> sssd would try to connect to any DC in the domain - even the one in
>>> Dublin, completely ignoring sites.
>>> I have to use:
>>>
>>> dns_discovery_domain = Prague._sites.contoso.com
>>>
>>> To force it to use Prague DCs only.
>>> My understanding is, that the "DC locator" tries to communicate with
>>> DC's first to determine local site and remote DC's are only used if no
>>> valid/working DC can be found in the local site (Prague in this case).
>>>
>>>> I'm not sure what you mean by this? Do you mean you don't want to have
>>>> to specify ldap_schema = rfc2307bis and have it instead auto-detected?
>>>>
>>>> That's trickier than it sounds.
>>>>
>>> well this is a really small one. I would say it would be perfectly
>>> sufficient to introduce something like:
>>>
>>> ldap_schema=msrfc2307bis
>>>
>>> which would be equivalent to:
>>>
>>> ldap_user_object_class = user
>>> ldap_group_object_class = group
>>> ldap_user_home_directory = unixHomeDirectory
>>> ldap_schema = rfc2307bis
>>>
>>> also, the ldap bind mechanism negotiation could be potentially
>>> improved, now I have to explicitly specify
>>>
>>> ldap_sasl_mech = GSSAPI
>>>
>>> otherwise sssd tries to use SASL/EXTERNAL which fails when
>>> communicating to AD controllers.
>>>
>>>> What features of the krb5 library do you mean? SSSD provides a locator
>>>> plugin that manages several features of the krb5 library, including
>>>> kinit and kpasswd.
>>>>
>>> The thing is that not all Linux apps are using sssd so we have to
>>> remember to configure /etc/krb5.conf. too.
>>> When using Centrify, all I need to do is:
>>>
>>> # adjoin contoso.com
>>>
>>> ..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM
>>> modules, eeeverything. If I wanted to use sssd for the same job I have
>>> to:
>>>
>>> 1. configure (manually) /etc/samba/smb.conf
>>> 2. net ads join (- just to get machine creds)
>>> 3. configure (manually) sssd.conf
>>> 4. configure (manually) PAM modules
>>> 5. configure (manually) krb5.conf
>>>
>>> I understand that much of this is probably not sssd duty, but it would
>>> be helpful to have some script around which would do the same job.
>>>
>>>
>>> ______________________________________________________________________
>>> The information contained in this e-mail and in any attachments is
>>> confidential and is designated solely for the attention of the
>>> intended recipient(s). If you are not an intended recipient, you must
>>> not use, disclose, copy, distribute or retain this e-mail or any part
>>> thereof. If you have received this e-mail in error, please notify the
>>> sender by return e-mail and delete all copies of this e-mail from your
>>> computer system(s). Please direct any additional queries to:
>>> communications at s3group.com. Thank You. Silicon and Software Systems
>>> Limited (S3 Group). Registered in Ireland no. 378073. Registered
>>> Office: South County Business Park, Leopardstown, Dublin 18
>>>
>>> ______________________________________________________________________
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ------------------------------------------------------------------------
> The information contained in this e-mail and in any attachments is
> confidential and is designated solely for the attention of the
> intended recipient(s). If you are not an intended recipient, you must
> not use, disclose, copy, distribute or retain this e-mail or any part
> thereof. If you have received this e-mail in error, please notify the
> sender by return e-mail and delete all copies of this e-mail from your
> computer system(s). Please direct any additional queries to:
> communications at s3group.com. Thank You. Silicon and Software Systems
> Limited (S3 Group). Registered in Ireland no. 378073. Registered
> Office: South County Business Park, Leopardstown, Dublin 18
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111005/b3572ee6/attachment.htm>
More information about the Freeipa-users
mailing list