On Fri, 2016-10-28 at 16:52 +0200, Sumit Bose wrote:
> On Tue, Oct 25, 2016 at 11:39:33AM +0000, Joakim Tjernlund wrote:
> >
> > On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
> > >
> > > On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
> > > >
> > > >
> > > > On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
> > > > >
> > > > >
> > > > > Looks like adcli was unable to detect your site - you found a
bug in adcli.
> > > > > O.
> > > >
> > > > # > adcli info
infinera.com
> > > > [domain]
> > > > domain-name =
infinera.com
> > > > domain-short = INFINERA
> > > > domain-forest =
infinera.com
> > > > domain-controller =
se-dc01.infinera.com
> > > > domain-controller-site = Sweden
> > > > domain-controller-flags = gc ldap ds kdc timeserv writable
full-secret ads-web
> > > > domain-controller-usable = maybe
> > > > domain-controllers =
se-dc01.infinera.com SV-DC01.infinera.com
pa-dc02.infinera.com md-
> > > >
dc02.infinera.com
> > > > in-
> > > >
dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com
ch-dc02.infinera.com sv-dc04.infinera.com
> > > > pa-
> > > >
dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com
sv-dc03.infinera.com uk-dc01.infinera.com
> > > > [computer]
> > > > computer-site =
> > > >
> > > > So it seems computer-site above is empty and domain-controller-usable
= maybe looks odd too.
> > > > I think it could be caused by our DNS server but I don't know
what to look for
> > >
> > > The site discovery is not related to DNS. adcli (and btw SSSD as well)
> > > run a LDAP search like:
> > >
> > > ldapsearch -H
cldap://se-dc01.infinera.com -b '' -s base
> > > "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
> > >
> > > The result is a base64 encoded blob which contains various data about
> > > the domain. This data might include the site of the client but it might
> > > be empty if the AD server cannot determine to which site the client
> > > belongs. Please note that the only information the AD server gets from
> > > the client is the IP address.
> > >
> > > But I agree with Ondrej that this should be fixed in adcli. If the
> > > client site is not available or empty a site aware DNS lookup should not
> > > be tried.
> > >
> > > Nevertheless I would like to ask you to send me the base64 output of the
> > > ldapsearch command from above so that I can check if e.g. the blob is in
> > > a format adcli currently does not expect.
> > >
> > > bye,
> > > Sumit
> >
> > This is still odd(patch
from https://bugs.freedesktop.org/show_bug.cgi?id=98143 added):
> > #> adcli info -v infinera.com
> > * Discovering domain controllers:
_ldap._tcp.infinera.com
> > * Sending netlogon pings to domain controller: cldap://10.210.34.21
> > * Sending netlogon pings to domain controller: cldap://10.220.32.14
> > * Sending netlogon pings to domain controller: cldap://10.120.2.22
> > * Sending netlogon pings to domain controller: cldap://10.120.2.21
> > * Sending netlogon pings to domain controller: cldap://10.100.98.21
> > * Received NetLogon info from:
se-dc01.infinera.com
> > * Received NetLogon info from:
SV-DC01.infinera.com
> > [domain]
> > domain-name =
infinera.com
> > domain-short = INFINERA
> > domain-forest =
infinera.com
> > domain-controller =
SV-DC01.infinera.com
> > domain-controller-site = Sunnyvale
> > domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret
ads-web
> > domain-controller-usable = yes
> > domain-controllers =
SV-DC01.infinera.com se-dc01.infinera.com
ch-dc02.infinera.com md-dc02.infinera.com
> >
md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com
in-dc01.infinera.com sv-dc02.infinera.com
> >
uk-dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com
se-dc02.infinera.com sv-dc03.infinera.com
> > [computer]
> > computer-site = Sunnyvale
> >
> > It still answers with Sunnyvale even though se-dc01 answers first.
> > LDAP search returns:
> >
> > ldapsearch -LLL -o ldif-wrap=no -H
cldap://se-dc01.infinera.com -b ''
-s base
> > "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
> > dn:
> > netlogon::
> >
FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACV
> > N1bm55dmFsZQAFAAAA/////w==
>
> I'm not sure what you think might be wrong here? The client site name
> should not change even if a server from a different site is queried. So
> even if the server is in the site Sweden the client is still in
> Sunnyvale.
The way around, the site is Sweden and the server is in Sunnyvale. Why is not the
server in Sweden chosen?
(fomr the NetLogon reply) say the site is
Sunnyvale, maybe this is the default site?
adcli will take the response from the first server that replied, if it
is from the same site as the child. If not it will wait for another
reply. This is what you see the in output. The first server that replied
se-dc01 is in a different site (Sweden vs Sunnyvale), so adcli waits and
the second reply from sv-dc01 is taken. If all servers replied or a
timeout of 15s is passed an no DCs from the same site replied adcli with
pick the first proper reply.
HTH
bye,
Sumit
>
> Jocke
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org