Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to detect the proper AD site it belongs to. The thing is, that in order to detect the proper site, it needs to connect to some (random) AD controller first. In our scenario, the box is only allowed to connect to the controller that belongs to the current AD site. Everything else is blocked by the firewall.
So what happens is:
1. Sssd starts
2. DNS SRV lookup for the dns domain discovers 15 domain controllers
3. SSSD tries randomly (couple of them) connect them - one by one
4. If we are unlucky, none of the first 1-2 controllers found belongs to the current site
5. SSSD bails out with timeout, marking the whole AD backend offline
The solution would probably be to connect all of them at once or extend the timeout after each attempt. What do you think?
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On (30/06/15 14:19), Ondrej Valousek wrote:
Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to detect the proper AD site it belongs to. The thing is, that in order to detect the proper site, it needs to connect to some (random) AD controller first. In our scenario, the box is only allowed to connect to the controller that belongs to the current AD site. Everything else is blocked by the firewall.
Just for record Ubuntu 14.04 contains 1.11.5-1ubuntu3
You can find design page for Active Directory's DNS sites here: https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryDNSSites I hope it will help you understand how it shoudl work an if there is bug then you can file ticket with more info.
BTW this feature was implemented as part of sssd-1.10
So what happens is:
Sssd starts
DNS SRV lookup for the dns domain discovers 15 domain controllers
SSSD tries randomly (couple of them) connect them - one by one
If we are unlucky, none of the first 1-2 controllers found belongs to the current site
SSSD bails out with timeout, marking the whole AD backend offline
The solution would probably be to connect all of them at once or extend the timeout after each attempt. What do you think?
Ondrej
LS
Ok, On that page, you talk about several timeouts. How do I configure timeout for ldap ping to a single AD controller and the overall timeout?
It is not clear from the page nor from the sssd-ldap manual entry.
Thanks Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik Sent: 30 June 2015 17:11 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD site recognition with sssd version 1.11.5
On (30/06/15 14:19), Ondrej Valousek wrote:
Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to detect the proper AD site it belongs to. The thing is, that in order to detect the proper site, it needs to connect to some (random) AD controller first. In our scenario, the box is only allowed to connect to the controller that belongs to the current AD site. Everything else is blocked by the firewall.
Just for record Ubuntu 14.04 contains 1.11.5-1ubuntu3
You can find design page for Active Directory's DNS sites here: https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryDNSSites I hope it will help you understand how it shoudl work an if there is bug then you can file ticket with more info.
BTW this feature was implemented as part of sssd-1.10
So what happens is:
Sssd starts
DNS SRV lookup for the dns domain discovers 15 domain controllers
SSSD tries randomly (couple of them) connect them - one by one
If we are unlucky, none of the first 1-2 controllers found belongs to the current site
SSSD bails out with timeout, marking the whole AD backend offline
The solution would probably be to connect all of them at once or extend the timeout after each attempt. What do you think?
Ondrej
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
Hello Ondrej,
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
section 2.3.3, discusses SSSD, AD and Sites.
If you have configured DNS sites in AD, then you should be getting back a primary and back DC for your site.
Best,
Frank
On Tue, Jun 30, 2015 at 10:19 AM, Ondrej Valousek < Ondrej.Valousek@s3group.com> wrote:
Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to detect the proper AD site it belongs to.
The thing is, that in order to detect the proper site, it needs to connect to some (random) AD controller first.
In our scenario, the box is only allowed to connect to the controller that belongs to the current AD site. Everything else is blocked by the firewall.
So what happens is:
Sssd starts
DNS SRV lookup for the dns domain discovers 15 domain controllers
SSSD tries randomly (couple of them) connect them – one by one
If we are unlucky, none of the first 1-2 controllers found
belongs to the current site
SSSD bails out with timeout, marking the whole AD backend offline
The solution would probably be to connect all of them at once or extend the timeout after each attempt.
What do you think?
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Frank,
Yes I know – I have them configured. The trick is, that in order to detect sites first, SSSD needs to connect the some DC first. The issue is documented here: https://fedorahosted.org/sssd/ticket/2702
Ondrej
From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Frank Pikelner Sent: 02 July 2015 17:00 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD site recognition with sssd version 1.11.5
Hello Ondrej,
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
section 2.3.3, discusses SSSD, AD and Sites.
If you have configured DNS sites in AD, then you should be getting back a primary and back DC for your site.
Best,
Frank
On Tue, Jun 30, 2015 at 10:19 AM, Ondrej Valousek <Ondrej.Valousek@s3group.commailto:Ondrej.Valousek@s3group.com> wrote: Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to detect the proper AD site it belongs to. The thing is, that in order to detect the proper site, it needs to connect to some (random) AD controller first. In our scenario, the box is only allowed to connect to the controller that belongs to the current AD site. Everything else is blocked by the firewall.
So what happens is:
1. Sssd starts
2. DNS SRV lookup for the dns domain discovers 15 domain controllers
3. SSSD tries randomly (couple of them) connect them – one by one
4. If we are unlucky, none of the first 1-2 controllers found belongs to the current site
5. SSSD bails out with timeout, marking the whole AD backend offline
The solution would probably be to connect all of them at once or extend the timeout after each attempt. What do you think?
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.commailto:communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
Ondrej,
If you are able to upgrade to sssd version 1.12.5, it includes the ability to specify your site (so no need to discover). A repository for Ubuntu 14.04 for 1.12.5 is available.
https://jhrozek.fedorapeople.org/sssd/1.12.5/man/sssd-ad.5.html
ad_site = your_site_name ad_enable_dns_sites = false # dns_discovery_domain = domain.com ad_server = dc1.domain.com, dc2.domain.com
Would this work in your case?
Frank
On Thu, Jul 2, 2015 at 11:04 AM, Ondrej Valousek < Ondrej.Valousek@s3group.com> wrote:
Hi Frank,
Yes I know – I have them configured. The trick is, that in order to detect sites first, SSSD needs to connect the some DC first.
The issue is documented here:
https://fedorahosted.org/sssd/ticket/2702
Ondrej
*From:* sssd-users-bounces@lists.fedorahosted.org [mailto: sssd-users-bounces@lists.fedorahosted.org] *On Behalf Of *Frank Pikelner *Sent:* 02 July 2015 17:00 *To:* End-user discussions about the System Security Services Daemon *Subject:* Re: [SSSD-users] AD site recognition with sssd version 1.11.5
Hello Ondrej,
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
section 2.3.3, discusses SSSD, AD and Sites.
If you have configured DNS sites in AD, then you should be getting back a primary and back DC for your site.
Best,
Frank
On Tue, Jun 30, 2015 at 10:19 AM, Ondrej Valousek < Ondrej.Valousek@s3group.com> wrote:
Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to detect the proper AD site it belongs to.
The thing is, that in order to detect the proper site, it needs to connect to some (random) AD controller first.
In our scenario, the box is only allowed to connect to the controller that belongs to the current AD site. Everything else is blocked by the firewall.
So what happens is:
Sssd starts
DNS SRV lookup for the dns domain discovers 15 domain controllers
SSSD tries randomly (couple of them) connect them – one by one
If we are unlucky, none of the first 1-2 controllers found
belongs to the current site
SSSD bails out with timeout, marking the whole AD backend offline
The solution would probably be to connect all of them at once or extend the timeout after each attempt.
What do you think?
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Frank,
Yes, that would work, indeed. The thing is, that it would cripple down roaming users that travels between sites. But thanks for the hint, anyway.
Ondrej
From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Frank Pikelner Sent: 02 July 2015 19:54 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD site recognition with sssd version 1.11.5
Ondrej,
If you are able to upgrade to sssd version 1.12.5, it includes the ability to specify your site (so no need to discover). A repository for Ubuntu 14.04 for 1.12.5 is available.
https://jhrozek.fedorapeople.org/sssd/1.12.5/man/sssd-ad.5.html
ad_site = your_site_name ad_enable_dns_sites = false # dns_discovery_domain = domain.comhttp://domain.com ad_server = dc1.domain.comhttp://dc1.domain.com, dc2.domain.comhttp://dc2.domain.com
Would this work in your case?
Frank
On Thu, Jul 2, 2015 at 11:04 AM, Ondrej Valousek <Ondrej.Valousek@s3group.commailto:Ondrej.Valousek@s3group.com> wrote: Hi Frank,
Yes I know – I have them configured. The trick is, that in order to detect sites first, SSSD needs to connect the some DC first. The issue is documented here: https://fedorahosted.org/sssd/ticket/2702
Ondrej
From: sssd-users-bounces@lists.fedorahosted.orgmailto:sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.orgmailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Frank Pikelner Sent: 02 July 2015 17:00 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD site recognition with sssd version 1.11.5
Hello Ondrej,
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
section 2.3.3, discusses SSSD, AD and Sites.
If you have configured DNS sites in AD, then you should be getting back a primary and back DC for your site.
Best,
Frank
On Tue, Jun 30, 2015 at 10:19 AM, Ondrej Valousek <Ondrej.Valousek@s3group.commailto:Ondrej.Valousek@s3group.com> wrote: Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to detect the proper AD site it belongs to. The thing is, that in order to detect the proper site, it needs to connect to some (random) AD controller first. In our scenario, the box is only allowed to connect to the controller that belongs to the current AD site. Everything else is blocked by the firewall.
So what happens is:
1. Sssd starts
2. DNS SRV lookup for the dns domain discovers 15 domain controllers
3. SSSD tries randomly (couple of them) connect them – one by one
4. If we are unlucky, none of the first 1-2 controllers found belongs to the current site
5. SSSD bails out with timeout, marking the whole AD backend offline
The solution would probably be to connect all of them at once or extend the timeout after each attempt. What do you think?
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.commailto:communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.commailto:communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Fri, Jul 03, 2015 at 08:15:47AM +0000, Ondrej Valousek wrote:
Hi Frank,
Yes, that would work, indeed. The thing is, that it would cripple down roaming users that travels between sites. But thanks for the hint, anyway.
I don't really have time to do many tests right now, but I would suggest the DNS timeout: dns_resolver_timeout and the LDAP timeouts: ldap_search_timeout ldap_network_timeout ldap_opt_timeout
btw the defaults are alrady 6 seconds which is quite high, are you sure you're hitting timeouts?
Yes, definitely hitting timeout - our firewall is configured to drop the traffic rather than rejecting it. Will try to configure for reject - that could do the job. Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 03 July 2015 10:55 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] AD site recognition with sssd version 1.11.5
On Fri, Jul 03, 2015 at 08:15:47AM +0000, Ondrej Valousek wrote:
Hi Frank,
Yes, that would work, indeed. The thing is, that it would cripple down roaming users that travels between sites. But thanks for the hint, anyway.
I don't really have time to do many tests right now, but I would suggest the DNS timeout: dns_resolver_timeout and the LDAP timeouts: ldap_search_timeout ldap_network_timeout ldap_opt_timeout
btw the defaults are alrady 6 seconds which is quite high, are you sure you're hitting timeouts? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users@lists.fedorahosted.org