On Sat, May 04, 2013 at 07:47:20AM +0000, Ondrej Valousek wrote:
Wow! Thanks for implementing features I was calling for few months ago! It is really highly appreciated :)
This is very nice to hear. You can join the F19 test day this Thursday to experiment with the features: https://fedoraproject.org/wiki/Test_Day:2013-05-09_SSSD_Improvements_and_AD_...
Few questions:
- From the man page it is not clear which DNS zone is being used to start
the site discovery. I suppose dns_discovery_domain has to be defined for this feature to work, right? Can be the man page be little bit more clear about this?
It should be dns_discovery domain with a fallback to the domain part of the machine's host name. I opened: https://fedorahosted.org/sssd/ticket/1909
Maybe we could just point to the Service Discovery more loudly.
- The concept of DNS sites definition seems to me very good. Does the
pure IPA domain use something similar for large IPA domains or we have a different approach for this goal?
Yes, here is the design document for the IPA service discovery: http://www.freeipa.org/page/V3/DNS_Location_Mechanism
The SSSD already has support for the discovery, but there is no UI on the IPA side yet. You'd need to put the records into the Bind's LDAP database manually.
- It would probably not hurt to say in the man page that sssd is going
to use gss-tsig signed DNS update packets so there is no need to allow unsecure updates on the MS based DNS server.
I agree: https://fedorahosted.org/sssd/ticket/1910
Side note: It is still not clear to me who is responsible of updating the DNS zone if the client is using DHCP. MS says in some cases it is the client itself, but in most cases the DHCP server is responsible for this task. I do not know.
The way I read some technet articles (for instance http://technet.microsoft.com/en-us/library/cc757041%28v=ws.10%29.aspx) it seemed that both the server refreshes the address halfway into the lease and clients refresh the record every 24 hours.
- When (if) will this find its way into RHEL-6?
This is a good question for RHEL PM, but I don't think a RHEL6 backport is planned at the moment.
Thanks, Ondrej