On (30/06/15 14:19), Ondrej Valousek wrote:
Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to detect the
proper AD site it belongs to.
The thing is, that in order to detect the proper site, it needs to connect to some
(random) AD controller first.
In our scenario, the box is only allowed to connect to the controller that belongs to the
current AD site. Everything else is blocked by the firewall.
Just for record Ubuntu 14.04 contains 1.11.5-1ubuntu3
You can find design page for Active Directory's DNS sites
here:
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryDNSSites
I hope it will help you understand how it shoudl work an if there is bug
then you can file ticket with more info.
BTW this feature was implemented as part of sssd-1.10
So what happens is:
1. Sssd starts
2. DNS SRV lookup for the dns domain discovers 15 domain controllers
3. SSSD tries randomly (couple of them) connect them - one by one
4. If we are unlucky, none of the first 1-2 controllers found belongs to the current
site
5. SSSD bails out with timeout, marking the whole AD backend offline
The solution would probably be to connect all of them at once or extend the timeout after
each attempt.
What do you think?
Ondrej
LS