#3291 RFE: sssd in cross realm trust configuration should be use AD KDC from a list or site defined in the config file
Closed: Fixed 2 years ago Opened 3 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1416528

Description of problem:

In IdM/AD cross realm trust configuration, sssd running on the server is
capable of retrieving identity information from local AD site DCs but sssd
running on clients pick a random KDC returned from DNS SRV discovery for the
actual authentication. There is currently no way to tell sssd to use a AD DC
from the local client site.

A workaround exists by disabling the DNS SRV lookup and hardcode the desired
servers into krb5.conf. This is not really convenient, especially for roaming
users.

The ad provider has a ad_site parameter which provides the required
functionality. The request is to have the same also available for the ipa
provider used in cross realm trust configuration.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
milestone: NEEDS_TRIAGE => SSSD Future releases (no date set yet)
patch: => 0
review: True => 0
selected: =>
testsupdated: => 0

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Future releases (no date set yet)

3 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None
- Issue priority set to: critical (was: major)
- Issue set to the milestone: SSSD 2.0 (was: SSSD Future releases (no date set yet))

2 years ago

I'm moving the ticket up because I'm working on the patches..

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue set to the milestone: SSSD 1.16.3 (was: SSSD 2.0)

2 years ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

2 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue tagged with: RFE

2 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue tagged with: PR

2 years ago

Metadata Update from @fidencio:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

2 years ago

Metadata Update from @fidencio:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4324

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata