The docs seem a little unclear to me on this. They note what when using the AD provider sssd will perform site discovery to find the closest AD controller. But what about when using the IPA provider? It seems to me like it doesn't, and if not - why not?
Am Thu, Jun 23, 2022 at 10:24:33AM -0600 schrieb Orion Poplawski:
The docs seem a little unclear to me on this. They note what when using the AD provider sssd will perform site discovery to find the closest AD controller. But what about when using the IPA provider? It seems to me like it doesn't, and if not - why not?
Hi,
afaik site discovery does not work across forest boundaries. To my knowledge AD DCs determine the site based on IP addresses given out by the DCs via DHCP, so only the DC of the domain you are joined to can return the site reliable. There is the concept of NextClosestSiteName (see MS-ADTS 6.3.3.2 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3d71aef...) but I'm not sure if this would give more reliable results. Based on this we decided that if might be better to set the site explicitly in sssd.conf.
Please let me know if you are aware of additional documentation which covers sites across forest boundaries.
HTH
bye, Sumit
(I posted the same reply to your question in https://github.com/SSSD/sssd/issues/5958)
-- Orion Poplawski IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Sumit,
AD administrators maintain the relationship between subnet and sites in the "AD Sites and Services" administrative tool.
They associate particular subnets with a particular site there. From your URL, it appears that the client sends its IP address in its CLDAP query. The AD DC does the subnet math and looks up the matching site in the AD Sites and Services data (most specific matches matches first, then more general).
Our AD team has an ultimate back-stop of 0.0.0.0/1 and 128.0.01/1 (most general), I think aka "CompanyGeneral".
It sounds like a lot of work, but if they logically group their IP addresses so that they can use big supranets (say 10.0.0.0/9 for siteA and 10.128.0.0./9 for siteB), it's not so much manual effort.
I would guess that AD sites and services lookups wouldn't work across forests; which forest would be authoritative? If you're searching your local forest, with ultimate back-stops of above you'd always find a site in your local forest and never traverse to another forest.
Spike
On Fri, Jun 24, 2022 at 4:22 AM Sumit Bose sbose@redhat.com wrote:
Am Thu, Jun 23, 2022 at 10:24:33AM -0600 schrieb Orion Poplawski:
The docs seem a little unclear to me on this. They note what when using
the
AD provider sssd will perform site discovery to find the closest AD controller. But what about when using the IPA provider? It seems to me
like
it doesn't, and if not - why not?
Hi,
afaik site discovery does not work across forest boundaries. To my knowledge AD DCs determine the site based on IP addresses given out by the DCs via DHCP, so only the DC of the domain you are joined to can return the site reliable. There is the concept of NextClosestSiteName (see MS-ADTS 6.3.3.2
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3d71aef... ) but I'm not sure if this would give more reliable results. Based on this we decided that if might be better to set the site explicitly in sssd.conf.
Please let me know if you are aware of additional documentation which covers sites across forest boundaries.
HTH
bye, Sumit
(I posted the same reply to your question in https://github.com/SSSD/sssd/issues/5958)
-- Orion Poplawski IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users@lists.fedorahosted.org
-
Orion Poplawski -
Spike White -
Sumit Bose