On Tue, Oct 25, 2016 at 11:39:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md-dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
This is still odd(patch from https://bugs.freedesktop.org/show_bug.cgi?id=98143%C2%A0added): #> adcli info -v infinera.com * Discovering domain controllers: _ldap._tcp.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.120.2.21 * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Received NetLogon info from: se-dc01.infinera.com * Received NetLogon info from: SV-DC01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = SV-DC01.infinera.com domain-controller-site = Sunnyvale domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com md-dc02.infinera.com md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com sv-dc02.infinera.com uk-dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com [computer] computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first. LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon dn: netlogon:: FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACVN1bm55dmFsZQAFAAAA/////w==
I'm not sure what you think might be wrong here? The client site name should not change even if a server from a different site is queried. So even if the server is in the site Sweden the client is still in Sunnyvale.
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org