The other day I tried to join a machine using adcli and during the join I got some strange error msg about not finding: _ldap._tcp.._sites.dc._msdcs.infinera.com Notice the .. between _tcp and _sites, this is not a valid DNS domain, how did this happen?
Jocke
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
-----Original Message----- From: Joakim Tjernlund [mailto:Joakim.Tjernlund@infinera.com] Sent: Monday, August 29, 2016 8:44 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Joining AD with adcli, strange error
The other day I tried to join a machine using adcli and during the join I got some strange error msg about not finding: _ldap._tcp.._sites.dc._msdcs.infinera.com Notice the .. between _tcp and _sites, this is not a valid DNS domain, how did this happen?
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md-dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
Jocke
-----Original Message----- From: Joakim Tjernlund [mailto:Joakim.Tjernlund@infinera.com] Sent: Monday, August 29, 2016 8:44 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Joining AD with adcli, strange error
The other day I tried to join a machine using adcli and during the join I got some strange error msg about not finding: _ldap._tcp.._sites.dc._msdcs.infinera.com Notice the .. between _tcp and _sites, this is not a valid DNS domain, how did this happen?
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md-dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
Jocke
-----Original Message----- From: Joakim Tjernlund [mailto:Joakim.Tjernlund@infinera.com] Sent: Monday, August 29, 2016 8:44 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Joining AD with adcli, strange error
The other day I tried to join a machine using adcli and during the join I got some strange error msg about not finding: _ldap._tcp.._sites.dc._msdcs.infinera.com Notice the .. between _tcp and _sites, this is not a valid DNS domain, how did this happen?
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md-dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
This is still odd(patch from https://bugs.freedesktop.org/show_bug.cgi?id=98143%C2%A0added): #> adcli info -v infinera.com * Discovering domain controllers: _ldap._tcp.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.120.2.21 * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Received NetLogon info from: se-dc01.infinera.com * Received NetLogon info from: SV-DC01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = SV-DC01.infinera.com domain-controller-site = Sunnyvale domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com md-dc02.infinera.com md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com sv-dc02.infinera.com uk-dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com [computer] computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first. LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon dn: netlogon:: FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACVN1bm55dmFsZQAFAAAA/////w==
On Tue, 2016-10-25 at 13:40 +0200, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md-dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
This is still odd(patch from https://bugs.freedesktop.org/show_bug.cgi?id=98143%C2%A0added): #> adcli info -v infinera.com * Discovering domain controllers: _ldap._tcp.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.120.2.21 * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Received NetLogon info from: se-dc01.infinera.com * Received NetLogon info from: SV-DC01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = SV-DC01.infinera.com domain-controller-site = Sunnyvale domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com md-dc02.infinera.com md- dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com sv-dc02.infinera.com uk- dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com [computer] computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first. LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon dn: netlogon:: FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACVN1 bm55dmFsZQAFAAAA/////w==
Here is why it can fail completely on occasion: /* Number of servers to do discovery against */ #define DISCO_COUNT 5
and # > dig @10.210.34.21 _ldap._tcp.infinera.com -t SRV
; <<>> DiG 9.10.4-P3 <<>> @10.210.34.21 _ldap._tcp.infinera.com -t SRV ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32629 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 15
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.infinera.com. IN SRV
;; ANSWER SECTION: _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 in-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 pa-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 ch-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 in-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 md-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 se-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc03.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 md-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 se-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc04.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 uk-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 pa-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc02.infinera.com. ....
Så there are lots of servers but only the 5 first vill be queried and most of them will not answer our requests. Should local DNS be configured differently?
Still don't get how site should be detected.
Jocke
On Tue, Oct 25, 2016 at 12:58:06PM +0000, Joakim Tjernlund wrote:
On Tue, 2016-10-25 at 13:40 +0200, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md-dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
This is still odd(patch from https://bugs.freedesktop.org/show_bug.cgi?id=98143%C2%A0added): #> adcli info -v infinera.com * Discovering domain controllers: _ldap._tcp.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.120.2.21 * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Received NetLogon info from: se-dc01.infinera.com * Received NetLogon info from: SV-DC01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = SV-DC01.infinera.com domain-controller-site = Sunnyvale domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com md-dc02.infinera.com md- dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com sv-dc02.infinera.com uk- dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com [computer] computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first. LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon dn: netlogon:: FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACVN1 bm55dmFsZQAFAAAA/////w==
Here is why it can fail completely on occasion: /* Number of servers to do discovery against */ #define DISCO_COUNT 5
and # > dig @10.210.34.21 _ldap._tcp.infinera.com -t SRV
; <<>> DiG 9.10.4-P3 <<>> @10.210.34.21 _ldap._tcp.infinera.com -t SRV ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32629 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 15
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.infinera.com. IN SRV
;; ANSWER SECTION: _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 in-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 pa-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 ch-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 in-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 md-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 se-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc03.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 md-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 se-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc04.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 uk-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 pa-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc02.infinera.com. ....
Så there are lots of servers but only the 5 first vill be queried and most of them will not answer our requests. Should local DNS be configured differently?
I think the original idea was that if 5 servers do not reply there might be something wrong in the environment and it does not make sense to query more and more servers. Do you think DISCO_COUNT should be configurable or wouldn't it be easier to use the -S option to specify a suitable DC?
bye, Sumit
Still don't get how site should be detected.
Jocke _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Fri, 2016-10-28 at 17:15 +0200, Sumit Bose wrote:
On Tue, Oct 25, 2016 at 12:58:06PM +0000, Joakim Tjernlund wrote:
On Tue, 2016-10-25 at 13:40 +0200, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md- dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv- dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk- dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
This is still odd(patch from https://bugs.freedesktop.org/show_bug.cgi?id=98143%C2%A0added): #> adcli info -v infinera.com * Discovering domain controllers: _ldap._tcp.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.120.2.21 * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Received NetLogon info from: se-dc01.infinera.com * Received NetLogon info from: SV-DC01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = SV-DC01.infinera.com domain-controller-site = Sunnyvale domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com md-dc02.infinera.com md- dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com sv-dc02.infinera.com uk- dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com [computer] computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first. LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon dn: netlogon:: FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4A CVN1 bm55dmFsZQAFAAAA/////w==
Here is why it can fail completely on occasion: /* Number of servers to do discovery against */ #define DISCO_COUNT 5
and # > dig @10.210.34.21 _ldap._tcp.infinera.com -t SRV
; <<>> DiG 9.10.4-P3 <<>> @10.210.34.21 _ldap._tcp.infinera.com -t SRV ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32629 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 15
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.infinera.com. IN SRV
;; ANSWER SECTION: _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 in-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 pa-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 ch-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 in-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 md-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 se-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc03.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 md-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 se-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc04.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 uk-dc01.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 pa-dc02.infinera.com. _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 sv-dc02.infinera.com. ....
Så there are lots of servers but only the 5 first vill be queried and most of them will not answer our requests. Should local DNS be configured differently?
I think the original idea was that if 5 servers do not reply there might be something wrong in the environment and it does not make sense to query more and more servers. Do you think DISCO_COUNT should be configurable or wouldn't it be easier to use the -S option to specify a suitable DC?
That makes sense, I think we have a mess somewhere ... This is a bit odd thogh: adcli info -v -S se-dc01.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Received NetLogon info from: se-dc01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe [computer] computer-site = Sunnyvale
Still says computer-site = Sunnyvale when I am in Sweden. I guess we need to check where our network belongs
Jocke
On Tue, Oct 25, 2016 at 11:39:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md-dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
This is still odd(patch from https://bugs.freedesktop.org/show_bug.cgi?id=98143%C2%A0added): #> adcli info -v infinera.com * Discovering domain controllers: _ldap._tcp.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.120.2.21 * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Received NetLogon info from: se-dc01.infinera.com * Received NetLogon info from: SV-DC01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = SV-DC01.infinera.com domain-controller-site = Sunnyvale domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com md-dc02.infinera.com md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com sv-dc02.infinera.com uk-dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com [computer] computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first. LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon dn: netlogon:: FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACVN1bm55dmFsZQAFAAAA/////w==
I'm not sure what you think might be wrong here? The client site name should not change even if a server from a different site is queried. So even if the server is in the site Sweden the client is still in Sunnyvale.
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Fri, 2016-10-28 at 16:52 +0200, Sumit Bose wrote:
On Tue, Oct 25, 2016 at 11:39:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md- dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
This is still odd(patch from https://bugs.freedesktop.org/show_bug.cgi?id=98143%C2%A0added): #> adcli info -v infinera.com * Discovering domain controllers: _ldap._tcp.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.120.2.21 * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Received NetLogon info from: se-dc01.infinera.com * Received NetLogon info from: SV-DC01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = SV-DC01.infinera.com domain-controller-site = Sunnyvale domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com md-dc02.infinera.com md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com sv-dc02.infinera.com uk-dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com [computer] computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first. LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon dn: netlogon:: FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACV N1bm55dmFsZQAFAAAA/////w==
I'm not sure what you think might be wrong here? The client site name should not change even if a server from a different site is queried. So even if the server is in the site Sweden the client is still in Sunnyvale.
The way around, the site is Sweden and the server is in Sunnyvale. Why is not the server in Sweden chosen?
Jocke
On Fri, Oct 28, 2016 at 03:20:35PM +0000, Joakim Tjernlund wrote:
On Fri, 2016-10-28 at 16:52 +0200, Sumit Bose wrote:
On Tue, Oct 25, 2016 at 11:39:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
Looks like adcli was unable to detect your site - you found a bug in adcli. O.
# > adcli info infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com pa-dc02.infinera.com md- dc02.infinera.com in- dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com ch-dc02.infinera.com sv-dc04.infinera.com pa- dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com sv-dc03.infinera.com uk-dc01.infinera.com [computer] computer-site =
So it seems computer-site above is empty and domain-controller-usable = maybe looks odd too. I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well) run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about the domain. This data might include the site of the client but it might be empty if the AD server cannot determine to which site the client belongs. Please note that the only information the AD server gets from the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the client site is not available or empty a site aware DNS lookup should not be tried.
Nevertheless I would like to ask you to send me the base64 output of the ldapsearch command from above so that I can check if e.g. the blob is in a format adcli currently does not expect.
bye, Sumit
This is still odd(patch from https://bugs.freedesktop.org/show_bug.cgi?id=98143%C2%A0added): #> adcli info -v infinera.com * Discovering domain controllers: _ldap._tcp.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.120.2.21 * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Received NetLogon info from: se-dc01.infinera.com * Received NetLogon info from: SV-DC01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = SV-DC01.infinera.com domain-controller-site = Sunnyvale domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com md-dc02.infinera.com md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com sv-dc02.infinera.com uk-dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com [computer] computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first. LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon dn: netlogon:: FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACV N1bm55dmFsZQAFAAAA/////w==
I'm not sure what you think might be wrong here? The client site name should not change even if a server from a different site is queried. So even if the server is in the site Sweden the client is still in Sunnyvale.
The way around, the site is Sweden and the server is in Sunnyvale. Why is not the server in Sweden chosen?
Both SV-DC01.infinera.com (from the adcli output) and se-dc01.infinera.com (fomr the NetLogon reply) say the site is Sunnyvale, maybe this is the default site?
adcli will take the response from the first server that replied, if it is from the same site as the child. If not it will wait for another reply. This is what you see the in output. The first server that replied se-dc01 is in a different site (Sweden vs Sunnyvale), so adcli waits and the second reply from sv-dc01 is taken. If all servers replied or a timeout of 15s is passed an no DCs from the same site replied adcli with pick the first proper reply.
HTH
bye, Sumit
Jocke _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org