On Mon, Jul 31, 2017 at 05:47:11PM -0400, Alexandre Pitre wrote:
Bull-eye Jakub, that did the trick. I should have posted for help on
the
mailing list sooner. Thanks you so much, you are saving my ass.
It makes sense to increase the krb5_auth_timeout as my AD domain
controllers servers are worldwide. Currently they exist in 3 regions: North
America, Europe and Asia.
The weird thing is it seems that when a linux host try to authenticate
against my AD, it just randomly select an AD DC from the _kerberos SRV
records. Normally, on the windows side, if "sites and services" are setup
correctly with subnet defined and binded to sites, a windows client
shouldn't try to authenticate against an AD DC that isn't local to his
site. This mechanism doesn't seem to apply to my linux hosts. Is it
because it's only available for windows hosts ? Is there another way to
force linux clients to authenticate against AD DC local to their site ?
We haven't implemented the site selection for the clients yet, only for
servers, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1416528
For now, I set the krb5_auth_timeout to 120 seconds. I had to completely
stop sssd and start it again. A colleague mentioned that sssd has a known
issue with restart apparently.
I'm not aware of any such issue..
Also, I'm curious about ports requirements. Going from linux hosts to AD, I
only authorize 88 TCP/UDP. I believe that's all I need.
Yes, from the clients, that should be enough. The servers need more
ports open:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...