On Tue, 2016-10-25 at 13:40 +0200, Joakim Tjernlund wrote:
> On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
> >
> > On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
> > >
> > >
> > > On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
> > > >
> > > >
> > > > Looks like adcli was unable to detect your site - you found a bug in
adcli.
> > > > O.
> > >
> > > # > adcli info
infinera.com
> > > [domain]
> > > domain-name =
infinera.com
> > > domain-short = INFINERA
> > > domain-forest =
infinera.com
> > > domain-controller =
se-dc01.infinera.com
> > > domain-controller-site = Sweden
> > > domain-controller-flags = gc ldap ds kdc timeserv writable full-secret
ads-web
> > > domain-controller-usable = maybe
> > > domain-controllers =
se-dc01.infinera.com SV-DC01.infinera.com
pa-dc02.infinera.com md-dc02.infinera.com
> > > in-
> > >
dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com
ch-dc02.infinera.com sv-dc04.infinera.com
> > > pa-
> > >
dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com
sv-dc03.infinera.com uk-dc01.infinera.com
> > > [computer]
> > > computer-site =
> > >
> > > So it seems computer-site above is empty and domain-controller-usable =
maybe looks odd too.
> > > I think it could be caused by our DNS server but I don't know what to
look for
> >
> > The site discovery is not related to DNS. adcli (and btw SSSD as well)
> > run a LDAP search like:
> >
> > ldapsearch -H
cldap://se-dc01.infinera.com -b '' -s base
> > "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
> >
> > The result is a base64 encoded blob which contains various data about
> > the domain. This data might include the site of the client but it might
> > be empty if the AD server cannot determine to which site the client
> > belongs. Please note that the only information the AD server gets from
> > the client is the IP address.
> >
> > But I agree with Ondrej that this should be fixed in adcli. If the
> > client site is not available or empty a site aware DNS lookup should not
> > be tried.
> >
> > Nevertheless I would like to ask you to send me the base64 output of the
> > ldapsearch command from above so that I can check if e.g. the blob is in
> > a format adcli currently does not expect.
> >
> > bye,
> > Sumit
>
> This is still odd(patch
from https://bugs.freedesktop.org/show_bug.cgi?id=98143 added):
> #> adcli info -v infinera.com
> * Discovering domain controllers:
_ldap._tcp.infinera.com
> * Sending netlogon pings to domain controller: cldap://10.210.34.21
> * Sending netlogon pings to domain controller: cldap://10.220.32.14
> * Sending netlogon pings to domain controller: cldap://10.120.2.22
> * Sending netlogon pings to domain controller: cldap://10.120.2.21
> * Sending netlogon pings to domain controller: cldap://10.100.98.21
> * Received NetLogon info from:
se-dc01.infinera.com
> * Received NetLogon info from:
SV-DC01.infinera.com
> [domain]
> domain-name =
infinera.com
> domain-short = INFINERA
> domain-forest =
infinera.com
> domain-controller =
SV-DC01.infinera.com
> domain-controller-site = Sunnyvale
> domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret
ads-web
> domain-controller-usable = yes
> domain-controllers =
SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com
md-dc02.infinera.com md-
>
dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com
sv-dc02.infinera.com uk-
>
dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com
sv-dc03.infinera.com
> [computer]
> computer-site = Sunnyvale
>
> It still answers with Sunnyvale even though se-dc01 answers first.
> LDAP search returns:
>
> ldapsearch -LLL -o ldif-wrap=no -H
cldap://se-dc01.infinera.com -b '' -s
base
> "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
> dn:
> netlogon::
>
FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACVN1
> bm55dmFsZQAFAAAA/////w==
>
Here is why it can fail completely on occasion:
/* Number of servers to do discovery against */
#define DISCO_COUNT 5
and
# > dig @10.210.34.21
_ldap._tcp.infinera.com -t SRV
; <<>> DiG 9.10.4-P3 <<>> @10.210.34.21
_ldap._tcp.infinera.com
-t SRV
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32629
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 15
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.infinera.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
sv-dc01.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
in-dc02.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
pa-dc01.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
ch-dc02.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
in-dc01.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
md-dc02.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
se-dc01.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
sv-dc03.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
md-dc01.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
se-dc02.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
sv-dc04.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
uk-dc01.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
pa-dc02.infinera.com.
_ldap._tcp.infinera.com. 600 IN SRV 0 100 389
sv-dc02.infinera.com.
....
Så there are lots of servers but only the 5 first vill be queried and most of them
will not answer our requests.
Should local DNS be configured differently?
I think the original idea was that if 5 servers do not reply there might
be something wrong in the environment and it does not make sense to
query more and more servers. Do you think DISCO_COUNT should be
configurable or wouldn't it be easier to use the -S option to specify a
suitable DC?
bye,
Sumit
>
> Still don't get how site should be detected.
>
> Jocke
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org