SSSD DNS Improvements in AD Environment

Similar documents

Integrating Linux systems with Active Directory

Configuration Notes 0215

AD Integration options for Linux Systems

DNS: How it works. DNS: How it works (more or less ) DNS: How it Works. Technical Seminars Spring Paul Semple psemple@rm.

How to configure WFS (Windows File Sharing ) Acceleration on SonicWALL WAN Acceleration Appliances

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services (5 days)

SSSD Active Directory Improvements

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

MCSA Objectives. Exam : TS:Exchange Server 2007, Configuring

Red Hat Identity Management

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Microsoft Windows Server 2008 Active Directory, Configuring

This presentation explains how to integrate Microsoft Active Directory to enable LDAP authentication in the IBM InfoSphere Master Data Management

Configuring Sponsor Authentication

Active Directory network protocols and traffic

Creating the Conceptual Design by Gathering and Analyzing Business and Technical Requirements

NetIQ Advanced Authentication Framework - MacOS Client

How to Add Domains and DNS Records

NETASQ SSO Agent Installation and deployment

FreeIPA 3.3 Trust features

MCSE Core exams (Networking) One Client OS Exam. Core Exams (6 Exams Required)

SSSD AD Provider: Access Control

Installation of MicroSoft Active Directory

MCSE Objectives. Exam : TS:Exchange Server 2007, Configuring

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

How to speed up IDENTIKEY DNS lookup of the Windows Logon DAWL client on Windows 7?

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

Configuring and Using the TMM with LDAP / Active Directory

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Implementing Domain Name Service (DNS)

Introduction. Versions Used Windows Server 2003

5 Configuring a DNS Infrastructure

System Security Services Daemon

Polycom RealPresence Resource Manager System Getting Started Guide

Identity Management: The authentic & authoritative guide for the modern enterprise

Configuring Windows Server 2008 Network Infrastructure

Information Security Practice II. Installation and set-up of Web Server and FTP accounts

In the Active Directory Domain Services Window, click Active Directory Domain Services.

Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

Dell Compellent Storage Center

Active Directory integration with CloudByte ElastiStor

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

How To Manage Ip Address Management In Windows Server 2012 (Gipam)

Designing and Implementing a Server Infrastructure MOC 20413

ISA 2006 Array Step by step configuration guide

DNS SRV Usage June 22, 2011

Lesson Plans Managing a Windows 2003 Network Infrastructure

Planning and Maintaining a Microsoft Windows Server Network Infrastructure

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Lab Diagramming Intranet Traffic Flows

Installing and Setting up Microsoft DNS Server

Connection Broker The Leader in Managing Hosted Desktop Infrastructures and Virtual Desktop Infrastructures (HDI and VDI) DNS Setup Guide

Understanding Windows Server 2003 Networking p. 1 The OSI Model p. 2 Protocol Stacks p. 4 Communication between Stacks p. 13 Microsoft's Network

Module 6: Managing and Monitoring Domain Name System

Lab Diagramming External Traffic Flows

Module 2. Configuring and Troubleshooting DNS. Contents:

Preliminary Course Syllabus

Best Practices: Integrating Mac OS X with Active Directory. Technical White Paper April 2009

Networking Domain Name System

Configuring User Identification via Active Directory

SKV PROPOSAL TO CLT FOR ACTIVE DIRECTORY AND DNS IMPLEMENTATION

המרכז ללימודי חוץ המכללה האקדמית ספיר. ד.נ חוף אשקלון טל' פקס בשיתוף עם מכללת הנגב ע"ש ספיר

R4: Configuring Windows Server 2008 Network Infrastructure

PasserellesNumeriquesCambodia (PNC)

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

Using Bonjour Across Subnets

MCSA Security + Certification Program

Using DC Agent for Transparent User Identification

Device Log Export ENGLISH

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

Collax Active Directory

Designing and Implementing a Server Infrastructure

CHAPTER ANSWERS IMPLEMENTING, MANAGING, AND MAINTAINING A MICROSOFT WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE

Active Directory Restoration

Security Provider Integration Kerberos Server

SSSD and OpenSSH Integration

Setting Up a Backup Domain Controller

F-SECURE MESSAGING SECURITY GATEWAY

Chapter 3 Authenticating Users

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

Active Directory LDAP

Quick Start Guide. Sendio System Protection Appliance. Sendio 5.0

Appendix D: Configuring Firewalls and Network Address Translation

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

MS 20413A: Designing and Implementing a Server Infrastructure

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Designing and Implementing a Server Infrastructure

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

Advancements in Linux Authentication and Authorisation using SSSD

Colubris TechNote. Testing and Troubleshooting Active- Directory. Revision 1.3 Mar Author: Dave Leger

Networking Domain Name System

Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure

Planning Domain Controller Capacity

CAC AND KERBEROS FROM VISION TO REALITY

Transcription:

FreeIPA 3.3 Training Series SSSD DNS Improvements in AD Environment Lukáš Slebodník 2014-March-12

Content Preconditions and assumed setup Dynamic DNS updates DNS site discovery Troubleshooting 2 FreeIPA 3.3 Training Series

Preconditions and assumed setup features are implemented in sssd 1.11 covers only sssd configuration. expects configured Active Directory with DNS server sssd must be joined to Active Directory. The easiest way is to use realmd id_provider = ad must be used in configuration 3 FreeIPA 3.3 Training Series

Dynamic DNS updates FreeIPA 3.3 Training Series

Dynamic DNS updates content DNS aging and scavenging Client DNS updates DNS updates in SSSD Configuration in SSSD 5 FreeIPA 3.3 Training Series

Dynamic DNS updates Situation: Problem: Solution: clients frequently move or change locations DHCP to obtain an IP address to reduce the need for manual administration of zone records RFC 2136 "Dynamic Updates in the Domain Name System." 6 FreeIPA 3.3 Training Series

DNS aging and scavenging mechanism for performing cleanup and removal of stale resource records, which accumulate in zone data over time. is disabled by default on AD Server http://technet.microsoft.com/en-us/library/cc759204(v=ws.10).aspx 7 FreeIPA 3.3 Training Series

Client DNS updates SSSD: simulates the behavior of Windows AD clients keeps the address record from being removed using periodical updates updates the DNS record if IP address is changed authenticates to the DNS with gss-tsig 8 FreeIPA 3.3 Training Series

DNS updates in SSSD Dynamic DNS update is performed when: the sssd back end becomes on-line cover the case when computer is restarted used for roaming users periodically used to prevent scavenging 9 FreeIPA 3.3 Training Series

Configuration in SSSD 1/2 Options in domain section and default values in AD provider dyndns_update enables automatic DNS updates in Active Directory DNS server with IP address of sssd client. enabled by default dyndns_ttl TTL to apply to the client DNS record when updating it default is 3600 seconds (1 hour) dyndns_iface network interface whose IP will be used for dynamic DNS update automatically detected 10 FreeIPA 3.3 Training Series

Configuration in SSSD 2/2 dyndns_refresh_interval time between two periodical updates default is 86400 (24 hours) dyndns_update_ptr whether PTR records should be updated for the client enabled by default dyndns_force_tcp whether TCP protocol should be used for comunication with the DNS server. disabled by default (nsupdate will choose the protocol itself) 11 FreeIPA 3.3 Training Series

DNS site discovery FreeIPA 3.3 Training Series

DNS site discovery content Terminology Clients DNS site discovery in SSSD Configuration in SSSD 13 FreeIPA 3.3 Training Series

DNS site discovery Situation: Large enterprise environment has more than one domain controller. Some of them are used for redundancy, others for different administrative domains. Environments with multiple physical locations have at least one local domain controller. Problem: Solution: reduce latency decrease network load find the local or the nearest domain controller 14 FreeIPA 3.3 Training Series

Terminology Sites: represent the physical structure or topology of network can be seen as physical location with unique name Domains: represent the logical or administrative structure of organization Sites and domains are two independent abstractions. http://technet.microsoft.com/en-us/library/cc782048%28v=ws.10%29.aspx 15 FreeIPA 3.3 Training Series

Clients can change physical location (roaming users) have to find out which site they belong to must be done dynamically try to find the needed services (LDAP, kerberos) in the local site fall back into the whole domain 16 FreeIPA 3.3 Training Series

DNS site discovery in SSSD 1) DNS lookup to find any DC in domain _ldap._tcp.<dnsdomain> 2) CLDAP ping to the found DC to get the desirable site 3) DNS lookup to find SRV in the site _<service>._<protocol>.<sitename>._sites.<dnsdomain> 4) DNS lookup to find global SRV records _<service>._<protocol>.<dnsdomain> 17 FreeIPA 3.3 Training Series

Configuration in SSSD Option in domain section ad_enable_dns_sites whether DNS site discovery should be used with Active Directory enabled by default 18 FreeIPA 3.3 Training Series

Troubleshooting check opened connection of SSSD lsof -itcp -a -c sssd_be enable verbose logging in the domain section and analyze log file analyze DNS network traffic tcpdump wireshark 19 FreeIPA 3.3 Training Series