On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
>
> On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
> >
> > Looks like adcli was unable to detect your site - you found a bug in adcli.
> > O.
>
> # > adcli info
infinera.com
> [domain]
> domain-name =
infinera.com
> domain-short = INFINERA
> domain-forest =
infinera.com
> domain-controller =
se-dc01.infinera.com
> domain-controller-site = Sweden
> domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web
> domain-controller-usable = maybe
> domain-controllers =
se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com
md-dc02.infinera.com
> in-
>
dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com
sv-dc04.infinera.com pa-
>
dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com
uk-dc01.infinera.com
> [computer]
> computer-site =
>
> So it seems computer-site above is empty and domain-controller-usable = maybe looks
odd too.
> I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well)
run a LDAP search like:
ldapsearch -H
cldap://se-dc01.infinera.com -b '' -s base
"(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about
the domain. This data might include the site of the client but it might
be empty if the AD server cannot determine to which site the client
belongs. Please note that the only information the AD server gets from
the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the
client site is not available or empty a site aware DNS lookup should not
be tried.
Nevertheless I would like to ask you to send me the base64 output of the
ldapsearch command from above so that I can check if e.g. the blob is in
a format adcli currently does not expect.
bye,
Sumit
This is still odd(patch
from https://bugs.freedesktop.org/show_bug.cgi?id=98143 added):
#> adcli info -v infinera.com
* Discovering domain controllers:
_ldap._tcp.infinera.com
* Sending netlogon pings to domain controller: cldap://10.210.34.21
* Sending netlogon pings to domain controller: cldap://10.220.32.14
* Sending netlogon pings to domain controller: cldap://10.120.2.22
* Sending netlogon pings to domain controller: cldap://10.120.2.21
* Sending netlogon pings to domain controller: cldap://10.100.98.21
* Received NetLogon info from:
se-dc01.infinera.com
* Received NetLogon info from:
SV-DC01.infinera.com
[domain]
domain-name =
infinera.com
domain-short = INFINERA
domain-forest =
infinera.com
domain-controller =
SV-DC01.infinera.com
domain-controller-site = Sunnyvale
domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web
domain-controller-usable = yes
domain-controllers =
SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com
md-dc02.infinera.com md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com
in-dc01.infinera.com sv-dc02.infinera.com uk-dc01.infinera.com in-dc02.infinera.com
pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com
[computer]
computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first.
LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H
cldap://se-dc01.infinera.com -b '' -s base
"(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
dn:
netlogon::
FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACVN1bm55dmFsZQAFAAAA/////w==