Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1161564
Version-Release number of selected component (if applicable): sssd-ad-1.11.6-30.el6.x86_64 Description of problem: We are integrating a bunch of RHEL6.6 clients on a AD domain sites with sssd-ad and we would like to be able to force the use of a AD site from sssd configuration (instead of network assignment to sites in AD controllers).The reason is to avoid the creation of the 3000 subnets in AD where our RHEL clients are configured to be assigned to the same site. We tested ad provider using dns_discovery domain with the especific dns domain SiteName._sites.example.com and we observe dns requests with tcpdump. The conclusion is that: - The ldap discovery that sssd does work uses the dns_discovery_domain, but - Kerberos server discovery uses the realm name for the DNS query, not the dns_discovery_domain. How reproducible: We need a AD with sites configuration Steps to Reproduce: 1. Use the ad provider in sssd 2. Edit sssd.conf and add a dns_discovery_domain = SiteName._sites.example.com 3. tcpdump on port 53 Actual results: rhel6host1.example.com.46958 > adserver.example.com.domain: 45800+ SRV? _ldap._tcp.Valencia._sites.example.com. (56) adserver.example.com.domain > rhel6host1.example.com.46958: 45800* 1/0/1 SRV adserver.example.com.:389 0 100 (112) For kerberos rhel6host1.example.com.47799 > adserver.example.com.domain: 48324+ SRV? _kerberos._udp.EXAMPLE.COM. (44) rhel6host1.example.com.48368 > adserver.example.com.domain: 53003+ PTR? 60.122.168.192.in-addr.arpa. (45) adserver.example.com.domain > rhel6host1.example.com.47799: 48324* 1/0/1 SRV adserver.example.com.:88 0 100 (100) rhel6host1.example.com.40558 > adserver.example.com.domain: 15231+ SRV? _kerberos._tcp.EXAMPLE.COM. (44) Expected results: Ldap is correctly using dns_discovery_domain but kerberos is not using it. Additional info:
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => preichl review: True => 0 selected: => testsupdated: => 0
Pavel will code up a prototype once we solve the 1.12 bugs.
milestone: NEEDS_TRIAGE => SSSD 1.12.3
The 1.12.3 milestone should now contain mostly bugfixes (and tickets that already have patches), moving to 1.12.4
milestone: SSSD 1.12.3 => SSSD 1.12.4
patch: 0 => 1
priority: major => critical
design: => https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryFixedDNSSite
resolution: => fixed status: new => closed
changelog: => The administrator is able to pin the client to a particular AD site using a new configuration option
Metadata Update from @jhrozek: - Issue assigned to preichl - Issue set to the milestone: SSSD 1.12.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3528
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.