On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote:
> On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote:
> > Looks like adcli was unable to detect your site - you found a bug in adcli.
> > O.
>
> # > adcli info infinera.com
> [domain]
> domain-name = infinera.com
> domain-short = INFINERA
> domain-forest = infinera.com
> domain-controller = se-dc01.infinera.com
> domain-controller-site = Sweden
> domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web
> domain-controller-usable = maybe
> domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com
> pa-dc02.infinera.com md-dc02.infinera.com in-
> dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com
> ch-dc02.infinera.com sv-dc04.infinera.com pa-
> dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com
> sv-dc03.infinera.com uk-dc01.infinera.com
> [computer]
> computer-site =
>
> So it seems computer-site above is empty and domain-controller-usable = maybe
> looks odd too.
> I think it could be caused by our DNS server but I don't know what to look for
The site discovery is not related to DNS. adcli (and btw SSSD as well)
run a LDAP search like:
ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base
"(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon
The result is a base64 encoded blob which contains various data about
the domain. This data might include the site of the client but it might
be empty if the AD server cannot determine to which site the client
belongs. Please note that the only information the AD server gets from
the client is the IP address.
But I agree with Ondrej that this should be fixed in adcli. If the
client site is not available or empty a site aware DNS lookup should not
be tried.
Nevertheless I would like to ask you to send me the base64 output of the
ldapsearch command from above so that I can check if e.g. the blob is in
a format adcli currently does not expect.
bye,
Sumit
>
> Jocke
>
> >
> > -----Original Message-----
> > From: Joakim Tjernlund [mailto:[email protected]]
> > Sent: Monday, August 29, 2016 8:44 AM
> > To: [email protected]
> > Subject: [SSSD-users] Joining AD with adcli, strange error
> >
> > The other day I tried to join a machine using adcli and during the join I
> > got some strange error msg about
> > not finding:
> > _ldap._tcp.._sites.dc._msdcs.infinera.com
> > Notice the .. between _tcp and _sites, this is not a valid DNS domain, how
> > did this happen?
> >
> > Jocke
> > _______________________________________________
> > sssd-users mailing list
> > [email protected]
> > https://lists.fedorahosted.org/admin/lists/[email protected]
> >
> > -----
> >
> > The information contained in this e-mail and in any attachments is
> > confidential and is designated solely for
> > the attention of the intended recipient(s). If you are not an intended
> > recipient, you must not use,
> > disclose, copy, distribute or retain this e-mail or any part thereof. If
> > you have received this e-mail in
> > error, please notify the sender by return e-mail and delete all copies of
> > this e-mail from your computer
> > system(s). Please direct any additional queries to:
> > [email protected]. Thank You. Silicon and
> > Software Systems Limited (S3 Group). Registered in Ireland no. 378073.
> > Registered Office: South County
> > Business Park, Leopardstown, Dublin 18.
> > _______________________________________________
> > sssd-users mailing list
> > [email protected]
> > https://lists.fedorahosted.org/admin/lists/[email protected]
> _______________________________________________
> sssd-users mailing list
> [email protected]
> https://lists.fedorahosted.org/admin/lists/[email protected]
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
