Hi again,
I can see in log, that the client traverses all subdomains and tries to send dyndns
updates to diverse DC's,
without success.
I have no krb5.conf - as I used realmd for joining AD - can it be the reason for troubles?
[nss]
debug_level = 9
filter_groups = root
filter_users =
root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd]
debug_level = 6
domains =nat.domain.org
config_file_version = 2
services = nss, pam
[
domain/nat.domain.org]
debug_level = 7
id_provider = ad
auth_provider = ad
access_provider = ad
default_shell = /bin/bash
ldap_id_mapping = False
/etc/hosts
root@skywalker:/home-local/longinap# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1
skywalker.nat.domain.org skywalker
xxx.xxx.
eta.nat.domain.org eta
best,
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Longina Przybyszewska
Sent: 23. juni 2014 13:45
To: 'End-user discussions about the System Security Services Daemon'
Subject: Re: [SSSD-users] 1.11.5 ddns failure on Ubuntu 14.04[SOLVED]
My AD-admin affirms that the problem with Linux clients is - that they recognize AD/ldap
server as DNS server; they should be able to recognize automatically the right DNS
servers
Stripping sssd.conf doesn't help;
Client still chooses DNS another server from pool of ldap/ad servers, with the same
effect: non responding server for nsupdate
How can I force sssd to choose the right DNS server?
There is 'dns_discovery_domain' option, but it means thet client configuration
will differ per domain
Our AD structure is forest with trusted subdomains, and Global Catalog.
Best,
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of steve
Sent: 23. juni 2014 13:07
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] 1.11.5 ddns failure on Ubuntu 14.04[SOLVED]
On Mon, 2014-06-23 at 09:09 +0000, Longina Przybyszewska wrote:
Ok.
2 cases:
1. The first server is the server chosen automatically by service discovery - obviously
doesn't answer.
Hi
Narrow it down. Set the primary dns on your client to be a dns server which you know for
certain is handling your ad domain. For now remove other dns entries and strip sssd of
anything apart from ad.
/etc/hosts
127.0.0.1 catral.hh3.site catral localhost
/etc/resolv.conf
search hh3.site
nameserver 192.168.1.16
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = hh3.site
[nss]
[pam]
[domain/hh3.site]
id_provider = ad
access_provider = ad
auth_provider = ad
ldap_id_mapping = false
e.g. here is an openSUSE client running 1.11.5 joined to the domain hh3.site. The DC at
192.168.1.16 is also running bind for this domain.
A session on catral with a common error;)
catral:/home/steve # nsupdate -g
update delete catral.hh3.site. in A
send
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may
provide more information, Minor = Ticket expired.
catral:/home/steve # kinit -kt /etc/krb5.keytab CATRAL$ catral:/home/steve # nsupdate -g
update delete catral.hh3.site. in A
send
> update add catral.hh3.site. 3600 in A 192.168.1.25 send quit
catral:/home/steve # nslookup catral
Server: 192.168.1.16
Address: 192.168.1.16#53
Name: catral.hh3.site
Address: 192.168.1.25
If you haven't got the dns exactly right, you may need some tweaks in sssd.conf to get
you there:
http://linuxcostablanca.blogspot.com.es/2014/05/sssd-autofs-with-ad-backe...
HTH
Steve
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users