#3291 RFE: sssd in cross realm trust configuration should be able to find AD KDCs from client site

Created a year ago by jhrozek
Modified 2 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1416528

Description of problem:

In IdM/AD cross realm trust configuration, sssd running on the server is
capable of retrieving identity information from local AD site DCs but sssd
running on clients pick a random KDC returned from DNS SRV discovery for the
actual authentication. There is currently no way to tell sssd to use a AD DC
from the local client site.

A workaround exists by disabling the DNS SRV lookup and hardcode the desired
servers into krb5.conf. This is not really convenient, especially for roaming

The ad provider has a ad_site parameter which provides the required
functionality. The request is to have the same also available for the ipa
provider used in cross realm trust configuration.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
milestone: NEEDS_TRIAGE => SSSD Future releases (no date set yet)
patch: => 0
review: True => 0
selected: =>
testsupdated: => 0

a year ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Future releases (no date set yet)

2 months ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None
- Issue priority set to: critical (was: major)
- Issue set to the milestone: SSSD 2.0 (was: SSSD Future releases (no date set yet))

Login to comment on this ticket.