Let's identify it and get it filed.

Can you paste the relevant part of your config file? Feel free to
sanitize sensitive parts like hostnames, etc. What is the desired order
of resolving? SRV first, then hardcoded host name?

Ok, I can not replicate the problem - my bad. However I have discovered something else. When doing the SRV lookup, a multiple servers are returned. It would be good if we prefer the one in the same subnet (i.e. something like DC locator function in Samba). Now what happens is, that a server on a different continent is happily used which is probably not a best thing to do...

Please note that the difference in requiring the realm in the LDAP and
Kerberos providers in tracked by https://fedorahosted.org/sssd/ticket/570
which is currently deferred, but maybe it is time to reconsider it given
it is confusing our users.


Yes, it is quite confusing to me.....
Given the TXT realm discovery can potentionally be dangerous, I think it
needs to be explicitly turned on by specifying 'krb5_realm = _txt_'
similar to how can one specify SRV lookups.

No, I did not mean realm discovery using TXT records, I mean simply assuming that dns_discovery_domain = realm. I believe it is safe to assume this (at least in both IPA and Active Directory domains). See my setup:

[domain/default]
ldap_id_use_start_tls = False
ldap_search_base = dc=dublin,dc=ad,dc=s3group,dc=com
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = draco$@DUBLIN.AD.S3GROUP.COM
dns_discovery_domain = dublin.ad.s3group.com
krb5_realm = DUBLIN.AD.S3GROUP.COM
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

It should not be necessary to specify krb5_realm. Let's assume krb5_realm = dns_discovery_domain (if not specified explicitly of course). What do you think?

Thanks,
Ondrej


The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18