On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md-dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
Jocke
-----Original Message----- From: Joakim Tjernlund [mailto:Joakim.Tjernlund@infinera.com] Sent: Monday, August 29, 2016 8:44 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Joining AD with adcli, strange error
The other day I tried to join a machine using adcli and during the join I got some strange error msg about not finding: _ldap._tcp.._sites.dc._msdcs.infinera.com Notice the .. between _tcp and _sites, this is not a valid DNS domain, how did this happen?
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org