Hi list,
How do I completely disable SRV lookups? This functionality is corrupted in SSSD so I wanted to disable it completely by defining ad servers explicitely:
ad_server = myserver1, myserver2 ldap_uri = ldap://myserver1, ldap://myserver2 subdomains_provider = none ldap_use_tokengroups = False ad_domain = TEST.COM
However, in logs I can still see the SRV plugin in action trying to populate AD servers automatically. Is it possible somehow?
Many thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On 19 November 2015 at 15:27, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Hi list,
How do I completely disable SRV lookups? This functionality is corrupted in SSSD so I wanted to disable it completely by defining ad servers explicitely:
ad_server = myserver1, myserver2 ldap_uri = ldap://myserver1, ldap://myserver2 subdomains_provider = none ldap_use_tokengroups = False ad_domain = TEST.COM
From the sssd-ad man page:
ad_enable_dns_sites (boolean) Enables DNS sites - location based service discovery.
If true and service discovery (see Service Discovery paragraph at the bottom of the man page) is enabled, the SSSD will first attempt to discover the Active Directory server to connect to using the Active Directory Site Discovery and fall back to the DNS SRV records if no AD site is found. The DNS SRV configuration, including the discovery domain, is used during site discovery as well.
Default: true
John
My mention of the man page reminds me of some bugs in the SSSD man page included in RHEL/CentOS 6.7, 1.12.4-47...
Option sections looks to be unclosed starting from "ad_gpo_access_control".
I'm not a speaker of ROFF, so can't suggest what is wrong. ;)
John
On Thu, Nov 19, 2015 at 03:27:46PM +0000, Ondrej Valousek wrote:
Hi list,
How do I completely disable SRV lookups? This functionality is corrupted in SSSD so I wanted to disable it completely by defining ad servers explicitely:
ad_server = myserver1, myserver2 ldap_uri = ldap://myserver1, ldap://myserver2 subdomains_provider = none ldap_use_tokengroups = False ad_domain = TEST.COM
If you use a separate ldap_provider and GSSAPI binds, try also hardcoding krb5_server.
However, in logs I can still see the SRV plugin in action trying to populate AD servers automatically. Is it possible somehow?
Many thanks,
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Out of curiosity, what exactly is wrong with SRV lookups?
I did find some anomalies, like looking for SRV records in the correct _ldap._tcp.site.domain.com but still using servers from _ldap._ tcp.domain.com ...
Andy
On 19 November 2015 at 17:02, Jakub Hrozek jhrozek@redhat.com wrote:
On Thu, Nov 19, 2015 at 03:27:46PM +0000, Ondrej Valousek wrote:
Hi list,
How do I completely disable SRV lookups? This functionality is corrupted
in SSSD so I wanted to disable it completely by defining ad servers explicitely:
ad_server = myserver1, myserver2 ldap_uri = ldap://myserver1, ldap://myserver2 subdomains_provider = none ldap_use_tokengroups = False ad_domain = TEST.COM
If you use a separate ldap_provider and GSSAPI binds, try also hardcoding krb5_server.
However, in logs I can still see the SRV plugin in action trying to
populate AD servers automatically.
Is it possible somehow?
Many thanks,
Ondrej
The information contained in this e-mail and in any attachments is
confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Tl;Dr: If you have some ldap server behind a firewall or simply not responding, the current implementation of SRV lookups might make sssd to go offline & fail. O.
From: Andy Airey [mailto:airey.andy@gmail.com] Sent: 24 November 2015 13:17 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: How do I disable SRV lookup?
Out of curiosity, what exactly is wrong with SRV lookups? I did find some anomalies, like looking for SRV records in the correct _ldap._tcp.site.domain.comhttp://tcp.site.domain.com but still using servers from _ldap._tcp.domain.comhttp://tcp.domain.com ... Andy
On 19 November 2015 at 17:02, Jakub Hrozek <jhrozek@redhat.commailto:jhrozek@redhat.com> wrote: On Thu, Nov 19, 2015 at 03:27:46PM +0000, Ondrej Valousek wrote:
Hi list,
How do I completely disable SRV lookups? This functionality is corrupted in SSSD so I wanted to disable it completely by defining ad servers explicitely:
ad_server = myserver1, myserver2 ldap_uri = ldap://myserver1, ldap://myserver2 subdomains_provider = none ldap_use_tokengroups = False ad_domain = TEST.COM<http://TEST.COM>
If you use a separate ldap_provider and GSSAPI binds, try also hardcoding krb5_server.
However, in logs I can still see the SRV plugin in action trying to populate AD servers automatically. Is it possible somehow?
Many thanks,
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.commailto:communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Tue, Nov 24, 2015 at 01:17:18PM +0100, Andy Airey wrote:
Out of curiosity, what exactly is wrong with SRV lookups?
I did find some anomalies, like looking for SRV records in the correct _ldap._tcp.site.domain.com but still using servers from _ldap._ tcp.domain.com ...
This happens if one of the providers is set to something else than ad, right? (Typically sudo or autofs)
Yes, my sudo_provider and autofs_provider are set to ldap as you can see below.
Should I set it to ad? I use POSIX attributes for my users and groups and have the nisMap and sudo schema's published.
... id_provider = ad auth_provider = krb5 ldap_id_mapping = False access_provider = ad sudo_provider = ldap autofs_provider = ldap ...
Kind Regards,
Andy
On 24 November 2015 at 14:41, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Nov 24, 2015 at 01:17:18PM +0100, Andy Airey wrote:
Out of curiosity, what exactly is wrong with SRV lookups?
I did find some anomalies, like looking for SRV records in the correct _ldap._tcp.site.domain.com but still using servers from _ldap._ tcp.domain.com ...
This happens if one of the providers is set to something else than ad, right? (Typically sudo or autofs) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
You can use ad for sudo_provider, but not for autofs - not yet :). BTW: the fix proposed earlier works indeed, specifying ldap_server explicitly disables SRV lookups. O. ________________________________ From: Andy Airey [airey.andy@gmail.com] Sent: Tuesday, December 01, 2015 6:08 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users]Re: How do I disable SRV lookup?
Yes, my sudo_provider and autofs_provider are set to ldap as you can see below.
Should I set it to ad? I use POSIX attributes for my users and groups and have the nisMap and sudo schema's published.
... id_provider = ad auth_provider = krb5 ldap_id_mapping = False access_provider = ad sudo_provider = ldap autofs_provider = ldap ...
Kind Regards,
Andy
On 24 November 2015 at 14:41, Jakub Hrozek <jhrozek@redhat.commailto:jhrozek@redhat.com> wrote: On Tue, Nov 24, 2015 at 01:17:18PM +0100, Andy Airey wrote:
Out of curiosity, what exactly is wrong with SRV lookups?
I did find some anomalies, like looking for SRV records in the correct _ldap._tcp.site.domain.comhttp://tcp.site.domain.com but still using servers from _ldap._ tcp.domain.comhttp://tcp.domain.com ...
This happens if one of the providers is set to something else than ad, right? (Typically sudo or autofs) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users@lists.fedorahosted.org