On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote:
> On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
> >
> > On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
> > >
> > > Looks like adcli was unable to detect your site - you found a bug in
adcli.
> > > O.
> >
> > # > adcli info
infinera.com
> > [domain]
> > domain-name =
infinera.com
> > domain-short = INFINERA
> > domain-forest =
infinera.com
> > domain-controller =
se-dc01.infinera.com
> > domain-controller-site = Sweden
> > domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web
> > domain-controller-usable = maybe
> > domain-controllers =
se-dc01.infinera.com SV-DC01.infinera.com
pa-dc02.infinera.com md-dc02.infinera.com
> > in-
> >
dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com
ch-dc02.infinera.com sv-dc04.infinera.com pa-
> >
dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com
sv-dc03.infinera.com uk-dc01.infinera.com
> > [computer]
> > computer-site =
> >
> > So it seems computer-site above is empty and domain-controller-usable = maybe
looks odd too.
> > I think it could be caused by our DNS server but I don't know what to look
for
>
> The site discovery is not related to DNS. adcli (and btw SSSD as well)
> run a LDAP search like:
>
> ldapsearch -H
cldap://se-dc01.infinera.com -b '' -s base
> "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
>
> The result is a base64 encoded blob which contains various data about
> the domain. This data might include the site of the client but it might
> be empty if the AD server cannot determine to which site the client
> belongs. Please note that the only information the AD server gets from
> the client is the IP address.
>
> But I agree with Ondrej that this should be fixed in adcli. If the
> client site is not available or empty a site aware DNS lookup should not
> be tried.
>
> Nevertheless I would like to ask you to send me the base64 output of the
> ldapsearch command from above so that I can check if e.g. the blob is in
> a format adcli currently does not expect.
>
> bye,
> Sumit
This is still odd(patch
from https://bugs.freedesktop.org/show_bug.cgi?id=98143 added):
#> adcli info -v infinera.com
* Discovering domain controllers:
_ldap._tcp.infinera.com
* Sending netlogon pings to domain controller: cldap://10.210.34.21
* Sending netlogon pings to domain controller: cldap://10.220.32.14
* Sending netlogon pings to domain controller: cldap://10.120.2.22
* Sending netlogon pings to domain controller: cldap://10.120.2.21
* Sending netlogon pings to domain controller: cldap://10.100.98.21
* Received NetLogon info from:
se-dc01.infinera.com
* Received NetLogon info from:
SV-DC01.infinera.com
[domain]
domain-name =
infinera.com
domain-short = INFINERA
domain-forest =
infinera.com
domain-controller =
SV-DC01.infinera.com
domain-controller-site = Sunnyvale
domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web
domain-controller-usable = yes
domain-controllers =
SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com
md-dc02.infinera.com md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com
in-dc01.infinera.com sv-dc02.infinera.com uk-dc01.infinera.com in-dc02.infinera.com
pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com
[computer]
computer-site = Sunnyvale
It still answers with Sunnyvale even though se-dc01 answers first.
LDAP search returns:
ldapsearch -LLL -o ldif-wrap=no -H
cldap://se-dc01.infinera.com -b '' -s base
"(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
dn:
netlogon::
FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACVN1bm55dmFsZQAFAAAA/////w==
I'm not sure what you think might be wrong here? The client site name
should not change even if a server from a different site is queried. So
even if the server is in the site Sweden the client is still in
Sunnyvale.
bye,
Sumit
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org