Ok, On that page, you talk about several timeouts. How do I configure timeout for ldap ping to a single AD controller and the overall timeout?
It is not clear from the page nor from the sssd-ldap manual entry.
Thanks Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik Sent: 30 June 2015 17:11 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD site recognition with sssd version 1.11.5
On (30/06/15 14:19), Ondrej Valousek wrote:
Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to detect the proper AD site it belongs to. The thing is, that in order to detect the proper site, it needs to connect to some (random) AD controller first. In our scenario, the box is only allowed to connect to the controller that belongs to the current AD site. Everything else is blocked by the firewall.
Just for record Ubuntu 14.04 contains 1.11.5-1ubuntu3
You can find design page for Active Directory's DNS sites here: https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryDNSSites I hope it will help you understand how it shoudl work an if there is bug then you can file ticket with more info.
BTW this feature was implemented as part of sssd-1.10
So what happens is:
Sssd starts
DNS SRV lookup for the dns domain discovers 15 domain controllers
SSSD tries randomly (couple of them) connect them - one by one
If we are unlucky, none of the first 1-2 controllers found belongs to the current site
SSSD bails out with timeout, marking the whole AD backend offline
The solution would probably be to connect all of them at once or extend the timeout after each attempt. What do you think?
Ondrej
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.