#2486 [RFE] ad provider dns_discovery_domain option: kerberos discovery is not using this option
Closed: Fixed None Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1161564

Version-Release number of selected component (if applicable):

Description of problem:

We are integrating a bunch of RHEL6.6 clients on a AD domain sites with sssd-ad
and we would like to be able to force the use of a AD site from sssd
configuration (instead of network assignment to sites in AD controllers).The
reason is to avoid the creation of the 3000 subnets in AD where our RHEL
clients are configured to be assigned to the same site.

We tested ad provider using dns_discovery domain with the especific dns domain
SiteName._sites.example.com and we observe dns requests with tcpdump. The
conclusion is that:
- The ldap discovery that sssd does work uses the dns_discovery_domain, but
- Kerberos server discovery uses the realm name for the DNS query, not the

How reproducible:
We need a AD with sites configuration

Steps to Reproduce:
1. Use the ad provider in sssd
2. Edit sssd.conf and add a dns_discovery_domain = SiteName._sites.example.com
3. tcpdump on port 53

Actual results:

 rhel6host1.example.com.46958 > adserver.example.com.domain: 45800+ SRV?
_ldap._tcp.Valencia._sites.example.com. (56)

adserver.example.com.domain > rhel6host1.example.com.46958: 45800* 1/0/1 SRV
adserver.example.com.:389 0 100 (112)

For kerberos
rhel6host1.example.com.47799 > adserver.example.com.domain: 48324+ SRV?
_kerberos._udp.EXAMPLE.COM. (44)
rhel6host1.example.com.48368 > adserver.example.com.domain: 53003+ PTR? (45)
adserver.example.com.domain > rhel6host1.example.com.47799: 48324* 1/0/1 SRV
adserver.example.com.:88 0 100 (100)
rhel6host1.example.com.40558 > adserver.example.com.domain: 15231+ SRV?
_kerberos._tcp.EXAMPLE.COM. (44)

Expected results:
Ldap is correctly using dns_discovery_domain but kerberos is not using it.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => preichl
review: True => 0
selected: =>
testsupdated: => 0

Pavel will code up a prototype once we solve the 1.12 bugs.

milestone: NEEDS_TRIAGE => SSSD 1.12.3

The 1.12.3 milestone should now contain mostly bugfixes (and tickets that already have patches), moving to 1.12.4

milestone: SSSD 1.12.3 => SSSD 1.12.4

Fields changed

patch: 0 => 1

Fields changed

priority: major => critical

resolution: => fixed
status: new => closed

Fields changed

changelog: => The administrator is able to pin the client to a particular AD site using a new configuration option

Metadata Update from @jhrozek:
- Issue assigned to preichl
- Issue set to the milestone: SSSD 1.12.4

2 years ago

Login to comment on this ticket.