Hey Guy's,
Cluster VIP for LDAP hosts.
Does SSSD support this now? Or should it still be a comma seperated list?
Have a Windows AD DC cluster made up of 8 servers. Would be handy to use that (ie company-dom.com) instead of the individual hosts that make this up.
In case the AD / DC team removes hosts from a cluster, we would not need to update anything on our end if we were using just the domain.
On Fri, May 19, 2017 at 10:22:35AM -0400, TomK wrote:
Hey Guy's,
Cluster VIP for LDAP hosts.
Does SSSD support this now? Or should it still be a comma seperated list?
Have a Windows AD DC cluster made up of 8 servers. Would be handy to use that (ie company-dom.com) instead of the individual hosts that make this up.
I would recommend to use DNS SRV lookups instead. With AD this should return the same list of DCs as the special company-dom.com. You can check with
dig SRV _ldap._tcp.company-dom.com
If you use the SSSD AD provider and either call the domain in sssd.conf company-dom.com or set ad_domain to company-dom.com and not set any ad_server SSSD will automatically use the SRV record.
The issue with just using company-dom.com as ad_server is GSSAPI/Kerberos authentication. Here the specific names of the DCs are needed to be able to request a proper service ticket.
HTH
bye, Sumit
In case the AD / DC team removes hosts from a cluster, we would not need to update anything on our end if we were using just the domain.
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On 5/19/2017 12:20 PM, Sumit Bose wrote:
On Fri, May 19, 2017 at 10:22:35AM -0400, TomK wrote:
Hey Guy's,
Cluster VIP for LDAP hosts.
Does SSSD support this now? Or should it still be a comma seperated list?
Have a Windows AD DC cluster made up of 8 servers. Would be handy to use that (ie company-dom.com) instead of the individual hosts that make this up.
I would recommend to use DNS SRV lookups instead. With AD this should return the same list of DCs as the special company-dom.com. You can check with
dig SRV _ldap._tcp.company-dom.comIf you use the SSSD AD provider and either call the domain in sssd.conf company-dom.com or set ad_domain to company-dom.com and not set any ad_server SSSD will automatically use the SRV record.
The issue with just using company-dom.com as ad_server is GSSAPI/Kerberos authentication. Here the specific names of the DCs are needed to be able to request a proper service ticket.
HTH
bye, Sumit
In case the AD / DC team removes hosts from a cluster, we would not need to update anything on our end if we were using just the domain.
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Kool, thanks Sumit.
sssd-users@lists.fedorahosted.org
-
Sumit Bose -
TomK