Hello,
Can somebody confirm me the behaviour of SSSD (we're currently on
version 1.8.6, but will migrate to whatever comes in Ubuntu 14.04) with
regards to Kerberos DNS records?
I mean, sssd series 1.8 did not have any special handling for AD, so
LDAP queries went to provided ldap_uri and Kerberos queries thanks to
the dns_discover_domains are handled by the DNS SRV records for
_kerberos._udp.example.com. Correct me if I'm wrong.
The DNS SRV records have a preference, or a priority option. Is this
taken into account, so that lower priority server is never accessed if
the higher one answers?
I am asking because or AD team implemented some "Disaster Recovery"
domain controller which they only turn on for 2 hours a week, after work
of course and I believe the logon time is much longer now. I don't have
exact details for it, though. They claim that they cannot remove the SRV
record for the "special" server as it will not replicate the AD
structure to the server in such a case, so they offered to lower the
priority, but I'm not sure if that's going to help.
I was also informed that the client should be actually using SRV records
for the particular site, which don't contain the "special" server. Does
the 1.9+ series AD backend solve this particular issue?
Best regards,
Bolesław Tokarski
Hello,
Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.
The question of "When FreeIPA will be available on Debian?" has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.
May be it is time to try again?
Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
2) The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.
Can we pull it off together this time?
Say we plan for some Dogtag and IPA domain experts to work on the port
during Nov 13 - Feb 14 and address 1) and 2). Would there be any
interest to join forces with them? Would there be anyone to take on item
3) from the list above?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/