If ad_site is set, no other AD servers will be tried

[opoplawski]

We are setting ad_site:

[domain/nwra.com/ad.nwra.com]
ad_site = {{ ad_site }}

But if the discovered AD servers for that site are down, sssd will not try to contact any other site's AD servers.

sssd-2.5.2-2.el8_5.3

[opoplawski]

And unfortunately with the presence of /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so this can break kinit as well if the ad server that it finds is down.

[opoplawski]

Perhaps a bit of a cleanup issue. I removed ad_site, but /var/lib/sss/pubconf/kdcinfo.AD.NWRA.COM was still present and contained the local site AD server. After removing that file it worked.

[opoplawski]

Related - it appears that with the IPA provider, sssd will not perform AD site discover to locate the closest AD servers as it does with the AD provider. If that is really the case, why not?

[sumit-bose]

Related - it appears that with the IPA provider, sssd will not perform AD site discover to locate the closest AD servers as it does with the AD provider. If that is really the case, why not?

Hi,

afaik site discovery does not work across forest boundaries. To my knowledge AD DCs determine the site based on IP addresses given out by the DCs via DHCP, so only the DC of the domain you are joined to can return the site reliable. There is the concept of NextClosestSiteName (see MS-ADTS 6.3.3.2 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3d71aefb-787e-4d14-9a8a-a70def9e1f6c) but I'm not sure if this would give more reliable results. Based on this we decided that if might be better to set the site explicitly in sssd.conf.

Please let me know if you are aware of additional documentation which covers sites across forest boundaries.

HTH

bye,
Sumit