Thanks Spike. I hadn't thought about the load-balanced pool for apps that are not
site-aware. That's a good idea. Take care. -nik
From: Spike White <spikewhitetx(a)gmail.com>
Reply-To: End-user discussions about the System Security Services Daemon
Date: Monday, October 8, 2018 at 10:13 AM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Active Domain Controller server lists (part of SSSD-AD)?
I am a big fan of
dns_lookup_realm = true
in /etc/krb5.conf. Of course, our AD administrators maintain good SRV records for the
various AD controllers -- so there's that.
also they maintain a load-balanced pool per location for those apps that are not
site-aware. Worst case, I could set my kdc = that.
That LB pool will always been right, as they slip in and out AD controllers.
On Fri, Oct 5, 2018 at 6:04 AM Conwell, Nik <firstname.lastname@example.org<mailto:email@example.com>>
Hi all, just curious what do you all do for Active Directory domain controllers in the
krb5.conf? Seems like "realm join" by default populates the krb5.conf with the
hostnames of all the AD KDCs discovered for the domain. All good until we decided we are
going to rename the KDCs to all new names. Windows boxes don't care, apparently they
will automatically rediscover based on the "_srv_" record queries. But from an
SSSD-AD and krb5.conf perspective we may end up having to "realm leave"
"realm join" the linux boxes to pick up the new DCs or possibly edit the
krb5.conf to change the discovered servers to be just "_srv_" so it will be
What are you all doing for SSSD-AD and the list of AD Domain Controllers? Do you manage
the krb5.conf list directly, or do you just always change the list to be
Nik Conwell | Manager, Systems Engineering
Boston University Information Services & Technology
sssd-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines