Hi all, just curious what do you all do for Active Directory domain controllers in the krb5.conf? Seems like "realm join" by default populates the krb5.conf with the hostnames of all the AD KDCs discovered for the domain. All good until we decided we are going to rename the KDCs to all new names. Windows boxes don't care, apparently they will automatically rediscover based on the "_srv_" record queries. But from an SSSD-AD and krb5.conf perspective we may end up having to "realm leave" "realm join" the linux boxes to pick up the new DCs or possibly edit the krb5.conf to change the discovered servers to be just "_srv_" so it will be dynamically queried.
What are you all doing for SSSD-AD and the list of AD Domain Controllers? Do you manage the krb5.conf list directly, or do you just always change the list to be "_srv_"?
Thanks. -nik
Nik Conwell | Manager, Systems Engineering Boston University Information Services & Technology
I am a big fan of
dns_lookup_realm = true
in /etc/krb5.conf. Of course, our AD administrators maintain good SRV records for the various AD controllers -- so there's that.
also they maintain a load-balanced pool per location for those apps that are not site-aware. Worst case, I could set my kdc = that.
That LB pool will always been right, as they slip in and out AD controllers.
Spike
On Fri, Oct 5, 2018 at 6:04 AM Conwell, Nik nik@bu.edu wrote:
Hi all, just curious what do you all do for Active Directory domain controllers in the krb5.conf? Seems like "realm join" by default populates the krb5.conf with the hostnames of all the AD KDCs discovered for the domain. All good until we decided we are going to rename the KDCs to all new names. Windows boxes don't care, apparently they will automatically rediscover based on the "_srv_" record queries. But from an SSSD-AD and krb5.conf perspective we may end up having to "realm leave" "realm join" the linux boxes to pick up the new DCs or possibly edit the krb5.conf to change the discovered servers to be just "_srv_" so it will be dynamically queried.
What are you all doing for SSSD-AD and the list of AD Domain Controllers? Do you manage the krb5.conf list directly, or do you just always change the list to be "_srv_"?
Thanks.
-nik
*Nik Conwell *| Manager, Systems Engineering Boston University Information Services & Technology
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Thanks Spike. I hadn't thought about the load-balanced pool for apps that are not site-aware. That's a good idea. Take care. -nik
From: Spike White spikewhitetx@gmail.com Reply-To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Date: Monday, October 8, 2018 at 10:13 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Active Domain Controller server lists (part of SSSD-AD)?
I am a big fan of
dns_lookup_realm = true
in /etc/krb5.conf. Of course, our AD administrators maintain good SRV records for the various AD controllers -- so there's that.
also they maintain a load-balanced pool per location for those apps that are not site-aware. Worst case, I could set my kdc = that.
That LB pool will always been right, as they slip in and out AD controllers.
Spike
On Fri, Oct 5, 2018 at 6:04 AM Conwell, Nik <nik@bu.edumailto:nik@bu.edu> wrote: Hi all, just curious what do you all do for Active Directory domain controllers in the krb5.conf? Seems like "realm join" by default populates the krb5.conf with the hostnames of all the AD KDCs discovered for the domain. All good until we decided we are going to rename the KDCs to all new names. Windows boxes don't care, apparently they will automatically rediscover based on the "_srv_" record queries. But from an SSSD-AD and krb5.conf perspective we may end up having to "realm leave" "realm join" the linux boxes to pick up the new DCs or possibly edit the krb5.conf to change the discovered servers to be just "_srv_" so it will be dynamically queried.
What are you all doing for SSSD-AD and the list of AD Domain Controllers? Do you manage the krb5.conf list directly, or do you just always change the list to be "_srv_"?
Thanks. -nik
Nik Conwell | Manager, Systems Engineering Boston University Information Services & Technology
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.orgmailto:sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org