Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1161564
Version-Release number of selected component (if applicable):
Description of problem:
We are integrating a bunch of RHEL6.6 clients on a AD domain sites with sssd-ad
and we would like to be able to force the use of a AD site from sssd
configuration (instead of network assignment to sites in AD controllers).The
reason is to avoid the creation of the 3000 subnets in AD where our RHEL
clients are configured to be assigned to the same site.
We tested ad provider using dns_discovery domain with the especific dns domain
SiteName._sites.example.com and we observe dns requests with tcpdump. The
conclusion is that:
- The ldap discovery that sssd does work uses the dns_discovery_domain, but
- Kerberos server discovery uses the realm name for the DNS query, not the
We need a AD with sites configuration
Steps to Reproduce:
1. Use the ad provider in sssd
2. Edit sssd.conf and add a dns_discovery_domain = SiteName._sites.example.com
3. tcpdump on port 53
rhel6host1.example.com.46958 > adserver.example.com.domain: 45800+ SRV?
adserver.example.com.domain > rhel6host1.example.com.46958: 45800* 1/0/1 SRV
adserver.example.com.:389 0 100 (112)
rhel6host1.example.com.47799 > adserver.example.com.domain: 48324+ SRV?
rhel6host1.example.com.48368 > adserver.example.com.domain: 53003+ PTR?
adserver.example.com.domain > rhel6host1.example.com.47799: 48324* 1/0/1 SRV
adserver.example.com.:88 0 100 (100)
rhel6host1.example.com.40558 > adserver.example.com.domain: 15231+ SRV?
Ldap is correctly using dns_discovery_domain but kerberos is not using it.
design_review: => 0
mark: no => 0
owner: somebody => preichl
review: True => 0
testsupdated: => 0
Pavel will code up a prototype once we solve the 1.12 bugs.
milestone: NEEDS_TRIAGE => SSSD 1.12.3
The 1.12.3 milestone should now contain mostly bugfixes (and tickets that already have patches), moving to 1.12.4
milestone: SSSD 1.12.3 => SSSD 1.12.4
patch: 0 => 1
priority: major => critical
design: => https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryFixedDNSSite
resolution: => fixed
status: new => closed
changelog: => The administrator is able to pin the client to a particular AD site using a new configuration option
Metadata Update from @jhrozek:
- Issue assigned to preichl
- Issue set to the milestone: SSSD 1.12.4
to comment on this ticket.