On 08/02/2012 08:53 AM, Pieter Baele wrote:
> FWIW if you use FreeIPA you will be able to join domains there
and use
> DNS Dynamic Updates to update the DNS when some IP address change
> letting hosts manage themselves mostly.
>
> Simo.
>
I tested FreeIPA thoroughly. The problem is we want the same domain on
the Linux servers,
and I want to use the AD Kerberos as authentication provider.
But the freeipa client always resolves to the KDC of AD, what is
causing a lot of trouble.
The other issue is the DNS is a seperate appliance managed by another team.
So I went with OpenLDAP.
And on the client
LDAP as ID provider
Kerberos on AD as auth provider
Just FYI the 3.0 is supposed to address this scenario in the following way.
You make the AD your source of the DNS info
You add entries into AD DNS for the IPA servers so that they can resolve
themselves
You install clients with the argument that will tell the SSSD the names
of the IPA servers and with the argument to not perform any DNS discovery.
For the authentication you can use AD trust feature or sync users from
AD to IPA.
I suspect that you already sync accounts to OpenLDAP in some way.
SSSD can be told not to resolve DNS and use the fixed list of servers
even now in 1.8. It is the ipa-client that always sticks DNS resolution
configuration into the SSSD config but since you use the custom sssd
configuration anyways you might very well just remove the _srv_ from the
SSSD config using a simple script. This part will be fixed in 3.0 but
you have a workaround to try using freeipa 2.2 and adjusted SSSD config.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/