Univention Bugzilla – Bug 33671
Define "sites" in UCS / use "sites" in services
Last modified: 2020-07-03 20:43:07 CEST
In larger environments there are limitations in our failover/configuration possibilities. i.e. in a larger UCS@school infrastructure, per default a central service (like Nagios webinterface) uses PAM/Kerberos for authentication. Kerberos is configured to lookup the KDCs from DNS service records. Those service records contain all School DCs, which are often blocked in firewalls. Authentication against central services then "sometimes" doesn't work, depending on the random order of the service record. Furthermore, defining load balancing and failover for LDAP or KDC servers is complicated (one per individual Policies) or impossible (I didn't found a way to define more than one KDC per UCR). It would be nice to adopt the site concept for LDAP and authentication services.
> Those service records contain all School DCs Really? AFAIK this should not be the case, see Bug 27395, UCS Variable dns/register/srv_records/kerberos
(In reply to Arvid Requate from comment #1) > > Those service records contain all School DCs > > Really? AFAIK this should not be the case, see Bug 27395, UCS Variable > dns/register/srv_records/kerberos The scenario is not (or not yet) Samba4-based. But the same would always be true if one has several DCs behind WAN with UCS default (without UCS@school).
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
There is a Customer ID set so I set the flag "Enterprise Customer affected".