Active Domain Controller server lists (part of SSSD-AD)?
by Conwell, Nik
Hi all, just curious what do you all do for Active Directory domain controllers in the krb5.conf? Seems like "realm join" by default populates the krb5.conf with the hostnames of all the AD KDCs discovered for the domain. All good until we decided we are going to rename the KDCs to all new names. Windows boxes don't care, apparently they will automatically rediscover based on the "_srv_" record queries. But from an SSSD-AD and krb5.conf perspective we may end up having to "realm leave" "realm join" the linux boxes to pick up the new DCs or possibly edit the krb5.conf to change the discovered servers to be just "_srv_" so it will be dynamically queried.
What are you all doing for SSSD-AD and the list of AD Domain Controllers? Do you manage the krb5.conf list directly, or do you just always change the list to be "_srv_"?
Thanks.
-nik
Nik Conwell | Manager, Systems Engineering
Boston University Information Services & Technology
5 years, 6 months
ad_access_filter and splitting group listing with backslash
by TomK
Hey All,
Given this example below which spans the entire line:
ad_access_filter = (|(memberOf=CN=group-of
-admins,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of
-managers,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of
-minions,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of
-analysts,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of
-limited,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of
-viewers,OU=XYZ,DC=blah,DC=blah,DC=blah))
Has anyone tried to use a backslash to split the line like this?
ad_access_filter = (| \
(memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah) \
(memberOf=CN=group-of-managers,OU=XYZ,DC=blah,DC=blah,DC=blah) \
(memberOf=CN=group-of-minions,OU=XYZ,DC=blah,DC=blah,DC=blah) \
(memberOf=CN=group-of-analysts,OU=XYZ,DC=blah,DC=blah,DC=blah) \
(memberOf=CN=group-of-limited,OU=XYZ,DC=blah,DC=blah,DC=blah) \
(memberOf=CN=group-of-viewers,OU=XYZ,DC=blah,DC=blah,DC=blah))
Or would the backslashes get interpreted when SSSD reads the file?
--
Cheers,
Tom K.
5 years, 6 months