On 08/02/2012 08:53 AM, Pieter Baele wrote:
FWIW if you use FreeIPA you will be able to join domains there and use DNS Dynamic Updates to update the DNS when some IP address change letting hosts manage themselves mostly.
Simo.
I tested FreeIPA thoroughly. The problem is we want the same domain on the Linux servers, and I want to use the AD Kerberos as authentication provider. But the freeipa client always resolves to the KDC of AD, what is causing a lot of trouble. The other issue is the DNS is a seperate appliance managed by another team.
So I went with OpenLDAP.
And on the client LDAP as ID provider Kerberos on AD as auth provider
Just FYI the 3.0 is supposed to address this scenario in the following way.
You make the AD your source of the DNS info You add entries into AD DNS for the IPA servers so that they can resolve themselves You install clients with the argument that will tell the SSSD the names of the IPA servers and with the argument to not perform any DNS discovery.
For the authentication you can use AD trust feature or sync users from AD to IPA. I suspect that you already sync accounts to OpenLDAP in some way.
SSSD can be told not to resolve DNS and use the fixed list of servers even now in 1.8. It is the ipa-client that always sticks DNS resolution configuration into the SSSD config but since you use the custom sssd configuration anyways you might very well just remove the _srv_ from the SSSD config using a simple script. This part will be fixed in 3.0 but you have a workaround to try using freeipa 2.2 and adjusted SSSD config.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users