[Freeipa-users] Re: Lookups for trust uses fails if member of group that has a user with same name, returned more than one object.

2019-04-15 Thread Henrik Johansson via FreeIPA-users 


> On 14 Apr 2019, at 08:54, Alexander Bokovoy via FreeIPA-users 
>  wrote:
> 
>> 
>> It does work on the FreeIPA server all the time but fails on clients,
>> if I lookup the conflicting group before the use on the client it also
>> woks.
> This is SSSD-specific issue. Sometimes it doesn't have enough
> information to deduce what is being looked up -- a group or a user and
> has to ask for either. Perhaps, it might be optimized to check whether
> there are two results returned and they are of different nature, as
> opposed to multiple results of the same nature returned which clearly
> would be a wrong result.
> 
> May be you can open a bug against SSSD?

Thank you, this leave us with the same restrictions with one namespace for 
users and groups on the IPA side as in windows and will prevent our migration. 
I will have a bug filed against SSSD but I guess it will take some time to get 
this fixed.

Regards
Henrik


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Deployment without CA

2018-11-01 Thread Henrik Johansson via FreeIPA-users 

> On 1 Nov 2018, at 10:39, Alexander Bokovoy  wrote:
> 
>> Thanks, you mean the UPN: kbtgt/domain@domainn.net part?
>> 
>> We have an intetrnal CA, i guess i’ll try to generate a CSR with
>> certutil and submit it. It will be quite a few UPN/SAN if I want one
>> certificate for all servers for LDAP/HTTP and PKINI respectability.
>> Maybe have two per servers and a common name for a load balancer in
>> each certificate, this is really not my area of expertise, it was so
>> much easier with the provided CA in IPA :)
> If you have an internal CA, it would be much easier to get that CA to
> sign IPA CA as a sub-CA. Then clients will trust IPA CA-issued
> certificates if they trust internal CA already.

I would love to but they are not very keen on giving me a sub-CA and if they do 
they want med to throw always the keys into HSM:s which I don’t have.

This does not seem like an common configuration, maybe I will create a 
temporary CA that I control to find out exactly how the requests should look, 
otherwise there will be trail and error with real certificates and wait times 
for every certificate.

Thanks
Henrik
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Deployment without CA

2018-10-31 Thread Henrik Johansson via FreeIPA-users 


> On 31 Oct 2018, at 13:27, Andrey Bondarenko via FreeIPA-users 
>  wrote:
> 
> It would create CSR for you on install.

When are they generated? I know it does that when configuring IPA as a sub-CA 
with “—external-ca", but without any CA I am supposed to specify the 
certificates when running ipa-server-install?

"You must request these certificates from a third-party authority prior to the 
installation:
An LDAP server certificate and a private key

An Apache server certificate and a private key

Full CA certificate chain of the CA that issued the LDAP and Apache server 
certificates”


And the only options relate to this seems to be the ones specifying the 
location of the certificates to use?

Thanks
Henrik___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Deployment without CA

2018-10-31 Thread Henrik Johansson via FreeIPA-users 
Hello,

I am looking at using FreeIPA without CA, using external signed certificates, 
reading the documentations it looks possible using —dirsrv-certfile, 
—http-cert-file and —point-certfile. Should I just create a CSR for the 
hostname by by hand and get it signed? Also is there any good reason for having 
different certs for http, ldap and pkinit? Can I just use one certificate for 
all services and for all servers and replicas using Subject Alternative Names?

Regards
Henrik
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Extending schema

2018-09-13 Thread Henrik Johansson via FreeIPA-users 
Hi,

I am going to migrate an existing environment to FreeIPA 4.5. The current LDAP 
has a few site-specific attributes and I have been trying to figure out how I 
add these in an easy was that also keeps them when upgrading etc.

I was thinking that making them optional would allow us to ad them without 
expanding the IPA web-interface. But which is the best way to place the 
additional LDIF file for extending the schema, I have read different location 
and some documentation point to using ldapmodify directly and most of the stuff 
I find regarding this is from 2014 or earlier so I’m unsure if it’s still 
relevant.

I would like to add something like this to all users:

dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( OurUserType-oid NAME 'OurUserType' DESC 'Specifies account 
type: user / sys' SYNTAX IA5String SINGLE-VALUE )
attributeTypes: ( OurSysOwner-oid NAME 'OurSysOwner' DESC 'Owner of Sys account 
/ Roles' SYNTAX IA5String SINGLE-VALUE )
-
add: objectclasses
objectclasses: ( ourUserSpec-oid NAME 'ourUserSpec' SUP top AUXILIARY DESC 
'Holds user-specific attr' MAY ( ourUserType $ OurSysOwner  ) )

Should this be located under /usr/share/ipa/updates, /usr/share/ipa/schema.d or 
should it be added in some other place?

I want to be able to set the attributes while creating users, user-add … 
—setattr ourUserType=“usertype1” ….

Regards
Henrik___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-15 Thread Henrik Johansson via FreeIPA-users 


> On 13 Dec 2017, at 15:03, Jakub Hrozek via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> On Mon, Dec 11, 2017 at 10:47:44PM +0200, Alexander Bokovoy wrote:
>> On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
>>> 
>>> 
>>>> On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users 
>>>> <freeipa-users@lists.fedorahosted.org> wrote:
>>>> 
>>>> On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
>>>>> Hi again,
>>>>> 
>>>>> I have generated debug, both in samba and in sssd and attached the log 
>>>>> files. From what I can see from the sssd-logfile we are talkin to the AD 
>>>>> domain but does not find any groups? The rest for the debug files are 
>>>>> from the whole session including the trust-add. If you could have a quick 
>>>>> look at it I would be grateful since pretty much stuck here.
>>>>> 
>>>>> Terminal output:
>>>>> # ipa -v trust-add --type=ad ad.test.net --admin aduser
>>>>> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
>>>>> ipa: INFO: [try 1]: Forwarding 'schema' to json server 
>>>>> 'https://ipaserver.idm.test.net/ipa/session/json'
>>>>> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
>>>>> Active Directory domain administrator's password:
>>>>> ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 
>>>>> 'https://ipaserver.idm.test.net/ipa/session/json'
>>>>> -
>>>>> Added Active Directory trust for realm "ad.test.net"
>>>>> -
>>>>> Realm name: ad.test.net
>>>>> Domain NetBIOS name: AD
>>>>> Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
>>>>> Trust direction: Trusting forest
>>>>> Trust type: Active Directory domain
>>>>> Trust status: Established and verified
>>>>> 
>>>>> # ipa trust-fetch-domains ad.test.net
>>>>> 
>>>>> List of trust domains successfully refreshed. Use trustdomain-find 
>>>>> command to list them.
>>>>> 
>>>>> 
>>>>> Number of entries returned 0
>>>>> 
>>>>> [root@ipaserver samba]# ipa trustdomain-find ad.test.net
>>>>> Domain name: ad.test.net
>>>>> Domain NetBIOS name: AD
>>>>> Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
>>>>> Domain enabled: True
>>>>> 
>>>>> Domain name: corp.ad.test.net
>>>>> Domain NetBIOS name: CORP
>>>>> Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915
>>>>> Domain enabled: True
>>>>> 
>>>>> Number of entries returned 2
>>>>> 
>>>>> ]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users'
>>>>> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
>>>>> [member user]:
>>>>> [member group]:
>>>>> ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 
>>>>> 'https://ipaserver.idm.test.net/ipa/session/json'
>>>>> Group name: ad_users_external
>>>>> Description: AD users external map
>>>>> Failed members:
>>>>>  member user:
>>>>>  member group: AD\Domain Users: trusted domain object not found
>>>>> -
>>>>> Number of members added 0
>>>> 
>>>> Did you try with a different group/user? Because Domain Users is a bit
>>>> special group in AD, it is Domain Global group. Your logs show that a
>>>> search done by SSSD against AD DC does not end up with any 'cn=domain
>>>> users' result.
>>> 
>>> Yes, i’ve tried with a few groups and the user I am using to create the 
>>> trust witch, no luck.
>> Is there any additional policy applied on AD side that prevents a TDO to
>> access information about AD users/groups?
>> 
>> Something like 
>> https://li

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-11 Thread Henrik Johansson via FreeIPA-users 


> On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
>> Hi again,
>> 
>> I have generated debug, both in samba and in sssd and attached the log 
>> files. From what I can see from the sssd-logfile we are talkin to the AD 
>> domain but does not find any groups? The rest for the debug files are from 
>> the whole session including the trust-add. If you could have a quick look at 
>> it I would be grateful since pretty much stuck here.
>> 
>> Terminal output:
>> # ipa -v trust-add --type=ad ad.test.net --admin aduser
>> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
>> ipa: INFO: [try 1]: Forwarding 'schema' to json server 
>> 'https://ipaserver.idm.test.net/ipa/session/json'
>> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
>> Active Directory domain administrator's password:
>> ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 
>> 'https://ipaserver.idm.test.net/ipa/session/json'
>> -
>> Added Active Directory trust for realm "ad.test.net"
>> -
>> Realm name: ad.test.net
>> Domain NetBIOS name: AD
>> Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
>> Trust direction: Trusting forest
>> Trust type: Active Directory domain
>> Trust status: Established and verified
>> 
>> # ipa trust-fetch-domains ad.test.net
>> 
>> List of trust domains successfully refreshed. Use trustdomain-find command 
>> to list them.
>> 
>> 
>> Number of entries returned 0
>> 
>> [root@ipaserver samba]# ipa trustdomain-find ad.test.net
>> Domain name: ad.test.net
>> Domain NetBIOS name: AD
>> Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
>> Domain enabled: True
>> 
>> Domain name: corp.ad.test.net
>> Domain NetBIOS name: CORP
>> Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915
>> Domain enabled: True
>> 
>> Number of entries returned 2
>> 
>> ]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users'
>> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
>> [member user]:
>> [member group]:
>> ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 
>> 'https://ipaserver.idm.test.net/ipa/session/json'
>> Group name: ad_users_external
>> Description: AD users external map
>> Failed members:
>>   member user:
>>   member group: AD\Domain Users: trusted domain object not found
>> -
>> Number of members added 0
> 
> Did you try with a different group/user? Because Domain Users is a bit
> special group in AD, it is Domain Global group. Your logs show that a
> search done by SSSD against AD DC does not end up with any 'cn=domain
> users' result.

Yes, i’ve tried with a few groups and the user I am using to create the trust 
witch, no luck.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-11 Thread Henrik Johansson via FreeIPA-users 
Hi again,I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from the whole session including the trust-add. If you could have a quick look at it I would be grateful since pretty much stuck here.Terminal output:# ipa -v trust-add --type=ad ad.test.net --admin aduseripa: INFO: trying https://ipaserver.idm.test.net/ipa/session/jsonipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipaserver.idm.test.net/ipa/session/json'ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/jsonActive Directory domain administrator's password:ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json'-Added Active Directory trust for realm "ad.test.net"-  Realm name: ad.test.net  Domain NetBIOS name: AD  Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543  Trust direction: Trusting forest  Trust type: Active Directory domain  Trust status: Established and verified # ipa trust-fetch-domains ad.test.netList of trust domains successfully refreshed. Use trustdomain-find command to list them.Number of entries returned 0[root@ipaserver samba]# ipa trustdomain-find ad.test.net  Domain name: ad.test.net  Domain NetBIOS name: AD  Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543  Domain enabled: True   Domain name: corp.ad.test.net  Domain NetBIOS name: CORP  Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915  Domain enabled: TrueNumber of entries returned 2 ]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users'ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json[member user]:[member group]:ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json'  Group name: ad_users_external  Description: AD users external map  Failed members:    member user:    member group: AD\Domain Users: trusted domain object not found-Number of members added 0

ipa-debug.tar.bz2
Description: BZip2 compressed data
RegardsHenrikOn 3 Dec 2017, at 21:14, Jakub Hrozek  wrote:On 1 Dec 2017, at 10:52, Henrik Johansson  wrote:Hi,Answers below, I found one thing that don’t look correct, on another virtualised test-system I can get a cifs ticket when I am admin on the IPA server, in this setup it only works if I get tickets from the AD domain manually first:[root@ipaserver httpd]# kinit adminPassword for ad...@idm.test.net:[root@ipaserver httpd]# klistTicket cache: KEYRING:persistent:0:0Default principal: ad...@idm.test.netValid starting   Expires  Service principal12/01/2017 10:25:48  12/02/2017 10:25:39  krbtgt/idm.test@idm.test.net[root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.netkvno: Server krbtgt/ad2.test@idm.test.net not found in Kerberos database while getting credentials for cifs/adserver.ad2.test@ad2.test.net[root@ipaserver httpd]# kinit adminu...@ad2.test.netPassword for adminu...@ad2.test.net:Warning: Your password will expire in 5 days on Wed 06 Dec 2017 03:20:14 PM CET[root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.netcifs/adserver.ad2.test@ad2.test.net: kvno = 13On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users  wrote:On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users wrote:Hello everyone,I’m new to this and are trying to setup a working trust against an AD forrest, I seem to have a working trust but when I try to reference external groups (or users) I get:# ipa group-add-member ad_users_external --external "AD2\Domain Users"[member user]:[member group]: Group name: ad_users_external Description: AD users external map Failed members:   member user:   member group: AD2\Domain Users: trusted domain object not found-Number of members added 0-I think the lookup goes eventually from the ipa command line frameworkto SSSD, does lookup through the usual SSSD channels (getent passwdusername@domain) work?No, that does not work at all.I enable some logging and last in the mail is the output there from the command above, any suggestions what could cause this? Current version of IPA is 4.5.RegardsHenrikTue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 192.168.6.82:34714] failed to set perms (3140) on file (/var/run/ipa/ccaches/ad...@idm.test.net)!, referer:

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-01 Thread Henrik Johansson via FreeIPA-users 
Hi,

Answers below, I found one thing that don’t look correct, on another 
virtualised test-system I can get a cifs ticket when I am admin on the IPA 
server, in this setup it only works if I get tickets from the AD domain 
manually first:

[root@ipaserver httpd]# kinit admin
Password for ad...@idm.test.net:
[root@ipaserver httpd]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@idm.test.net
 
Valid starting   Expires  Service principal
12/01/2017 10:25:48  12/02/2017 10:25:39  krbtgt/idm.test@idm.test.net
[root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net
kvno: Server krbtgt/ad2.test@idm.test.net not found in Kerberos database 
while getting credentials for cifs/adserver.ad2.test@ad2.test.net
[root@ipaserver httpd]# kinit adminu...@ad2.test.net
Password for adminu...@ad2.test.net:
Warning: Your password will expire in 5 days on Wed 06 Dec 2017 03:20:14 PM CET
[root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net
cifs/adserver.ad2.test@ad2.test.net: kvno = 13


> On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users 
>  wrote:
> 
> On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users 
> wrote:
>> Hello everyone,
>> 
>> I’m new to this and are trying to setup a working trust against an AD 
>> forrest, I seem to have a working trust but when I try to reference external 
>> groups (or users) I get:
>> 
>> # ipa group-add-member ad_users_external --external "AD2\Domain Users"
>> [member user]:
>> [member group]:
>>  Group name: ad_users_external
>>  Description: AD users external map
>>  Failed members:
>>member user:
>>member group: AD2\Domain Users: trusted domain object not found
>> -
>> Number of members added 0
>> -
> 
> I think the lookup goes eventually from the ipa command line framework
> to SSSD, does lookup through the usual SSSD channels (getent passwd
> username@domain) work?

No, that does not work at all.

> 
>> 
>> I enable some logging and last in the mail is the output there from the 
>> command above, any suggestions what could cause this? Current version of IPA 
>> is 4.5.
>> 
>> Regards
>> Henrik
>> 
>> Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 
>> 192.168.6.82:34714] failed to set perms (3140) on file 
>> (/var/run/ipa/ccaches/ad...@idm.test.net 
>> )!, referer: 
>> https://ipaserver.idm.test.net/ipa/xml 
>> 
>> string_to_sid: SID AD2\Domain Users is not in a valid format
> 
> btw did you try also a lookup of a name qualified with the full AD domain
> name (i.e. username@ad.domain  instead of 
> ad\\username)? I wonder if just
> the flatname is acting up..


I’ve tested both without luck.

> 
>> lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
>> Processing section "[global]"
>> INFO: Current debug levels:
>>  all: 11
>>  tdb: 11
>>  printdrivers: 11
>>  lanman: 11
>>  smb: 11
>>  rpc_parse: 11
>>  rpc_srv: 11
>>  rpc_cli: 11
>>  passdb: 11
>>  sam: 11
>>  auth: 11
>>  winbind: 11
>>  vfs: 11
>>  idmap: 11
>>  quota: 11
>>  acls: 11
>>  locking: 11
>>  msdfs: 11
>>  dmapi: 11
>>  registry: 11
>>  scavenger: 11
>>  dns: 11
>>  ldb: 11
>>  tevent: 11
>> pm_process() returned Yes
>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>> netmask=255.255.255.0
>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>> netmask=255.255.255.0
>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>> netmask=255.255.255.0
>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>> netmask=255.255.255.0
>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>> netmask=255.255.255.0
>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>> netmask=255.255.255.0
>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>> netmask=255.255.255.0
>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>> netmask=255.255.255.0
>> finddcs: searching for a DC by DNS domain ad2.test.net
>> finddcs: looking for SRV records for _ldap._tcp.ad2.test.net
>> resolve_lmhosts: Attempting lmhosts lookup for name 
>> _ldap._tcp.ad2.test.net<0x0>
>> getlmhostsent: lmhost entry: 127.0.0.1 localhost
>> ads_dns_lookup_srv: 2 records returned in the answer section.
>> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
>> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
>> Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver
>> finddcs: DNS SRV response 0 at '192.168.5.158'
>> finddcs: DNS SRV response 1 at '192.168.5.104'
>> finddcs: performing CLDAP query on 192.168.5.158
>> >data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
>>command  : LOGON_SAM_LOGON_RESPONSE_EX (23)
>>sbz  : 0x (0)