On Tue, 2016-10-25 at 13:40 +0200, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md-dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
This is still odd(patch from https://bugs.freedesktop.org/show_bug.cgi?id=98143%C2%A0added): #> adcli info -v infinera.com * Discovering domain controllers: _ldap._tcp.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.120.2.21 * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Received NetLogon info from: se-dc01.infinera.com * Received NetLogon info from: SV-DC01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = SV-DC01.infinera.com domain-controller-site = Sunnyvale domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com md-dc02.infinera.com md- dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com sv-dc02.infinera.com uk- dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com [computer] computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first. LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon dn: netlogon:: FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACVN1 bm55dmFsZQAFAAAA/////w==
Here is why it can fail completely on occasion: /* Number of servers to do discovery against */ #define DISCO_COUNT 5
and # > dig @10.210.34.21 _ldap._tcp.infinera.com -t SRV
; <<>> DiG 9.10.4-P3 <<>> @10.210.34.21 _ldap._tcp.infinera.com -t SRV ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32629 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 15
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.infinera.com. IN SRV
;; ANSWER SECTION: _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 in-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 pa-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 ch-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 in-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 md-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 se-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc03.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 md-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 se-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc04.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 uk-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 pa-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc02.infinera.com. ....
Så there are lots of servers but only the 5 first vill be queried and most of them will not answer our requests. Should local DNS be configured differently?
Still don't get how site should be detected.
Jocke