#3291 RFE: sssd in cross realm trust configuration should be able to find AD KDCs from client site

Created 2 months ago by jhrozek
Modified 2 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1416528

Description of problem:

In IdM/AD cross realm trust configuration, sssd running on the server is
capable of retrieving identity information from local AD site DCs but sssd
running on clients pick a random KDC returned from DNS SRV discovery for the
actual authentication. There is currently no way to tell sssd to use a AD DC
from the local client site.

A workaround exists by disabling the DNS SRV lookup and hardcode the desired
servers into krb5.conf. This is not really convenient, especially for roaming
users.

The ad provider has a ad_site parameter which provides the required
functionality. The request is to have the same also available for the ipa
provider used in cross realm trust configuration.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
milestone: NEEDS_TRIAGE => SSSD Future releases (no date set yet)
patch: => 0
review: True => 0
selected: =>
testsupdated: => 0

2 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Future releases (no date set yet)

Login to comment on this ticket.

enhancement

SSSD

0

0

https://bugzilla.redhat.com/show_bug.cgi?id=1416528

0

0

0

0

cancel